Azure Active Directory 的標頭型驗證Header-based authentication with Azure Active Directory

繼承應用程式通常會使用標頭型驗證。Legacy applications commonly use Header-based authentication. 在此案例中,使用者 (或訊息建立者) 驗證中繼身分識別解決方案。In this scenario, an user (or message originator) authenticates to an intermediary identity solution. 中繼解決方案會驗證使用者,並將所需的超文字傳輸通訊協定 (HTTP) 標頭傳播至目的地 web 服務。The intermediary solution authenticates the user and propagates the required Hypertext Transfer Protocol (HTTP) headers to the destination web service. Azure Active Directory (AD) 透過其應用程式 Proxy 服務支援此模式,並與其他網路控制卡解決方案整合。Azure Active Directory (AD) supports this pattern via its Application Proxy service, and integrations with other network controller solutions.

在我們的解決方案中,應用程式 Proxy 可提供應用程式的遠端存取許可權、驗證使用者,以及傳遞應用程式所需的標頭。In our solution, Application Proxy provides remote access to the application, authenticates the user, and passes headers required by the application.

使用時機Use when

遠端使用者需要安全地單一登入 (SSO) 進入需要以標頭為基礎之驗證的內部部署應用程式。Remote users need to securely single sign-on (SSO) into to on-premises applications that require header-based authentication.

以架構映射標頭為基礎的驗證

系統的元件Components of system

  • 使用者:存取應用程式 Proxy 所提供的繼承應用程式。User: Accesses legacy applications served by Application Proxy.

  • Web 瀏覽器:使用者與之互動的元件,以存取應用程式的外部 URL。Web browser: The component that the user interacts with to access the external URL of the application.

  • Azure AD:驗證使用者。Azure AD: Authenticates the user.

  • 應用程式 Proxy 服務:作為反向 Proxy,將要求從使用者傳送至內部部署應用程式。Application Proxy service: Acts as reverse proxy to send request from the user to the on-premises application. 它位於 Azure AD,也可以強制執行任何條件式存取原則。It resides in Azure AD and can also enforce any conditional access policies.

  • 應用程式 Proxy 連接器:安裝在 Windows 伺服器上的內部部署環境,以提供應用程式的連線能力。Application Proxy connector: Installed on-premises on Windows servers to provide connectivity to the applications. 它只會使用輸出連接。It only uses outbound connections. 傳回 Azure AD 的回應。Returns the response to Azure AD.

  • 繼承應用程式:從應用程式 Proxy 接收使用者要求的應用程式。Legacy applications: Applications that receive user requests from Application Proxy. 繼承應用程式會接收所需的 HTTP 標頭來設定會話,並傳迴響應。The legacy application receives the required HTTP headers to set up a session and return a response.

使用 Azure AD 來執行以標頭為基礎的驗證Implement header-based authentication with Azure AD