Azure Active Directory 無縫單一登入Azure Active Directory Seamless Single Sign-On

何謂 Azure Active Directory 無縫單一登入?What is Azure Active Directory Seamless Single Sign-On?

使用者位於連線到公司網路的公司裝置時,Azure Active Directory 無縫單一登入 (Azure AD 無縫 SSO) 就會自動將他們登入。Azure Active Directory Seamless Single Sign-On (Azure AD Seamless SSO) automatically signs users in when they are on their corporate devices connected to your corporate network. 當此功能啟用時,使用者不需要輸入密碼就能登入 Azure AD,而且在大部分情況下,甚至也不用輸入其使用者名稱。When enabled, users don't need to type in their passwords to sign in to Azure AD, and usually, even type in their usernames. 這項功能可讓使用者輕鬆存取雲端式應用程式,而不需要任何額外的內部部署元件。This feature provides your users easy access to your cloud-based applications without needing any additional on-premises components.

無縫 SSO 可以與密碼雜湊同步處理傳遞驗證登入方法合併使用。Seamless SSO can be combined with either the Password Hash Synchronization or Pass-through Authentication sign-in methods. 無縫 SSO 不適用於 Active Directory 同盟服務 (ADFS) 。Seamless SSO is not applicable to Active Directory Federation Services (ADFS).

無縫單一登入

重要

無縫 SSO 需要將使用者的裝置加入網域,但不需要將裝置加入 Azure ADSeamless SSO needs the user's device to be domain-joined, but doesn't need for the device to be Azure AD Joined.

主要權益Key benefits

  • 良好的使用者體驗 Great user experience
    • 使用者會自動登入內部部署和雲端式應用程式。Users are automatically signed into both on-premises and cloud-based applications.
    • 使用者不需要重複輸入其密碼。Users don't have to enter their passwords repeatedly.
  • 容易部署和管理 Easy to deploy & administer
    • 在內部部署上不需要任何其他元件,即可進行這項工作。No additional components needed on-premises to make this work.
    • 與任何雲端驗證方法搭配運作:密碼雜湊同步處理傳遞驗證Works with any method of cloud authentication - Password Hash Synchronization or Pass-through Authentication.
    • 可以推出給使用群組原則的一部分使用者或所有使用者。Can be rolled out to some or all your users using Group Policy.
    • 可透過 Azure AD 註冊非 Windows 10 裝置,無需任何的 AD FS 基礎結構。Register non-Windows 10 devices with Azure AD without the need for any AD FS infrastructure. 此功能需要使用 2.1 版或更新版本的加入工作場所用戶端This capability needs you to use version 2.1 or later of the workplace-join client.

功能要點Feature highlights

  • 登入使用者名稱可以是內部部署的預設使用者名稱 (userPrincipalName),或在 Azure AD Connect 中設定的另一個屬性 (Alternate ID)。Sign-in username can be either the on-premises default username (userPrincipalName) or another attribute configured in Azure AD Connect (Alternate ID). 兩種使用案例均可行,因為無縫 SSO 在 Kerberos 票證中使用 securityIdentifier 宣告在 Azure AD 中查詢對應的使用者物件。Both use cases work because Seamless SSO uses the securityIdentifier claim in the Kerberos ticket to look up the corresponding user object in Azure AD.
  • 無縫 SSO 是一種靈活變換的功能。Seamless SSO is an opportunistic feature. 如果因任何原因而失敗,使用者登入體驗會改回其一般行為;亦即,使用者必須在登入頁面上輸入密碼。If it fails for any reason, the user sign-in experience goes back to its regular behavior - i.e, the user needs to enter their password on the sign-in page.
  • 如果應用程式 (例如https://myapps.microsoft.com/contoso.com) 轉送domain_hint(OpenID Connect) 或whr(SAML) 參數來識別您的租用戶或login_hint參數來識別使用者,使用者會在其 Azure AD 登入要求,會自動登入,不需要輸入使用者名稱或密碼。If an application (for example, https://myapps.microsoft.com/contoso.com) forwards a domain_hint (OpenID Connect) or whr (SAML) parameter - identifying your tenant, or login_hint parameter - identifying the user, in its Azure AD sign-in request, users are automatically signed in without them entering usernames or passwords.
  • 使用者也獲得無訊息登入體驗,如果應用程式 (例如https://contoso.sharepoint.com) 將登入要求傳送至 Azure AD 的端點設定為租用戶-也就是https://login.microsoftonline.com/contoso.com/<..>或是https://login.microsoftonline.com/<tenant_ID>/<..>-而不是 Azure AD 常見端點時-也就是https://login.microsoftonline.com/common/<...>.Users also get a silent sign-on experience if an application (for example, https://contoso.sharepoint.com) sends sign-in requests to Azure AD's endpoints set up as tenants - that is, https://login.microsoftonline.com/contoso.com/<..> or https://login.microsoftonline.com/<tenant_ID>/<..> - instead of Azure AD's common endpoint - that is, https://login.microsoftonline.com/common/<...>.
  • 支援登出。Sign out is supported. 這可讓使用者選擇使用另一個 Azure AD 帳戶來進行登入,而不自動使用「無縫 SSO」來自動登入。This allows users to choose another Azure AD account to sign in with, instead of being automatically signed in using Seamless SSO automatically.
  • 使用非互動式流程,來支援 Office 365 Win32 用戶端 (Outlook、Word、Excel 和其他產品) 16.0.8730.xxxx 版和更新版本。Office 365 Win32 clients (Outlook, Word, Excel, and others) with versions 16.0.8730.xxxx and above are supported using a non-interactive flow. 針對 OneDrive,您必須啟用 OneDrive 無訊息設定功能 (英文) 以獲得無訊息登入體驗。For OneDrive, you will have to activate the OneDrive silent config feature for a silent sign-on experience.
  • 您可以透過 Azure AD Connect 啟用它。It can be enabled via Azure AD Connect.
  • 這是免費功能,您不需要任何付費的 Azure AD 版本即可使用。It is a free feature, and you don't need any paid editions of Azure AD to use it.
  • 它是在能夠使用 Kerberos 驗證的平台和瀏覽器上,支援新式驗證的網頁瀏覽器型用戶端和 Office 用戶端來支援:It is supported on web browser-based clients and Office clients that support modern authentication on platforms and browsers capable of Kerberos authentication:
作業系統\瀏覽器OS\Browser Internet ExplorerInternet Explorer Microsoft EdgeMicrosoft Edge Google ChromeGoogle Chrome Mozilla FirefoxMozilla Firefox SafariSafari
Windows 10Windows 10 是*Yes* No Yes 是***Yes*** N/AN/A
Windows 8.1Windows 8.1 是*Yes* N/AN/A Yes 是***Yes*** N/AN/A
Windows 8Windows 8 是*Yes* N/AN/A Yes 是***Yes*** N/AN/A
Windows 7Windows 7 是*Yes* N/AN/A Yes 是***Yes*** N/AN/A
Windows Server 2012 R2 或更新版本Windows Server 2012 R2 or above 是**Yes** N/AN/A Yes 是***Yes*** N/AN/A
Mac OS XMac OS X N/AN/A N/AN/A 是***Yes*** 是***Yes*** 是***Yes***

*需要 Internet Explorer 第 10 版或更新版本*Requires Internet Explorer versions 10 or above

**需要 Internet Explorer 第 10 版或更新版本。**Requires Internet Explorer versions 10 or above. 停用增強保護模式Disable Enhanced Protected Mode

***需要其他設定***Requires additional configuration

注意

對於 Windows 10,建議使用 Azure AD Join 以獲得 Azure AD 最佳單一登入體驗。For Windows 10, the recommendation is to use Azure AD Join for the optimal single sign-on experience with Azure AD.

後續步驟Next steps