使用應用程式 Proxy 進行內部部署應用程式的 SAML 單一登入SAML single sign-on for on-premises applications with Application Proxy

您可以為使用 SAML 驗證保護的內部部署應用程式提供單一登入 (SSO), 並透過應用程式 Proxy 提供這些應用程式的遠端存取。You can provide single sign-on (SSO) to on-premises applications that are secured with SAML authentication and provide remote access to these applications through Application Proxy. 使用 SAML 單一登入, Azure Active Directory (Azure AD) 會使用使用者的 Azure AD 帳戶向應用程式進行驗證。With SAML single sign-on, Azure Active Directory (Azure AD) authenticates to the application by using the user's Azure AD account. Azure AD 與應用程式透過連線通訊協定,進行登入資訊通訊。Azure AD communicates the sign-on information to the application through a connection protocol. 您也可以根據您在 SAML 宣告中定義的規則, 將使用者對應至特定的應用程式角色。You can also map users to specific application roles based on rules you define in your SAML claims. 除了 SAML SSO 以外, 啟用應用程式 Proxy, 您的使用者將可存取應用程式和順暢的 SSO 體驗。By enabling Application Proxy in addition to SAML SSO, your users will have external access to the application and a seamless SSO experience.

應用程式必須能夠取用Azure Active Directory所簽發的 SAML 權杖。The applications must be able to consume SAML tokens issued by Azure Active Directory. 此設定不適用於使用內部部署身分識別提供者的應用程式。This configuration doesn't apply to applications using an on-premises identity provider. 針對這些案例, 我們建議您檢查資源, 將應用程式遷移至 Azure ADFor these scenarios, we recommend reviewing Resources for migrating applications to Azure AD.

SAML SSO 與應用程式 Proxy 也適用于 SAML 權杖加密功能。SAML SSO with Application Proxy also works with the SAML token encryption feature. 如需詳細資訊, 請參閱設定 SAML 權杖加密 Azure ADFor more info, see Configure Azure AD SAML token encryption.

下列通訊協定圖表描述服務提供者起始 (SP 起始) 流程和識別提供者起始 (IdP 起始) 流程的單一登入順序。The protocol diagrams below describe the single sign-on sequence for both a service provider-initiated (SP-initiated) flow and an identity provider-initiated (IdP-initiated) flow. 應用程式 Proxy 會藉由快取 SAML 要求和內部部署應用程式的回應, 來與 SAML SSO 搭配運作。Application Proxy works with SAML SSO by caching the SAML request and response to and from the on-premises application.

SAML SP 流程

SAML SP 流程

建立應用程式並設定 SAML SSOCreate an application and set up SAML SSO

  1. 在 Azure 入口網站中, 選取 Azure Active Directory > 企業應用程式, 然後選取 新增應用程式In the Azure portal, select Azure Active Directory > Enterprise applications and select New application.

  2. 在 [新增您自己的應用程式] 下, 選取 [非資源庫應用程式]。Under Add your own app, select Non-gallery application.

  3. 輸入新應用程式的顯示名稱, 然後選取 [新增]。Enter the display name for your new application, and then select Add.

  4. 在應用程式的 [總覽] 頁面上, 選取 [單一登入]。On the app's Overview page, select Single sign-on.

  5. 選取 [ SAML ] 做為單一登入方法。Select SAML as the single sign-on method.

  6. 第一次設定 SAML SSO 在公司網路上運作。First set up SAML SSO to work while on the corporate network. 在 [以SAML 設定單一登入] 頁面中, 移至 [基本 SAML設定] 標題, 然後選取其 [編輯] 圖示 (鉛筆)。In the Set up Single Sign-On with SAML page, go to the Basic SAML Configuration heading and select its Edit icon (a pencil). 依照輸入基本 SAML設定中的步驟, 為應用程式設定 SAML 型驗證。Follow the steps in Enter basic SAML configuration to configure SAML-based authentication for the application.

  7. 將至少一個使用者新增至應用程式, 並確定測試帳戶具有應用程式的存取權。Add at least one user to the application and make sure the test account has access to the application. 連線到公司網路時, 請使用測試帳戶來查看您是否有應用程式的單一登入。While connected to the corporate network, use the test account to see if you have single sign-on to the application.

    注意

    設定應用程式 Proxy 之後, 您將會返回並更新 SAML回復 URLAfter you set up Application Proxy, you'll come back and update the SAML Reply URL.

使用應用程式 Proxy 發佈內部部署應用程式Publish the on-premises application with Application Proxy

您必須先啟用應用程式 Proxy 並安裝連接器, 才可提供內部部署應用程式的 SSO。Before you can provide SSO for on-premises applications, you need to enable Application Proxy and install a connector. 請參閱在Azure AD 中新增內部部署應用程式以透過應用程式 Proxy 進行遠端存取教學課程, 以瞭解如何準備您的內部部署環境、安裝和註冊連接器, 以及測試連接器。See the tutorial Add an on-premises application for remote access through Application Proxy in Azure AD to learn how to prepare your on-premises environment, install and register a connector, and test the connector. 然後依照下列步驟, 使用應用程式 Proxy 發佈新的應用程式。Then follow these steps to publish your new application with Application Proxy. 如需以下未提及的其他設定, 請參閱教學課程中的將內部部署應用程式新增至 Azure AD一節。For other settings not mentioned below, refer to the Add an on-premises app to Azure AD section in the tutorial.

  1. 應用程式仍在 Azure 入口網站中開啟, 請選取 [應用程式 Proxy]。With the application still open in the Azure portal, select Application Proxy. 提供應用程式的內部 URLProvide the Internal URL for the application. 如果您使用的是自訂網域, 您也必須上傳應用程式的 SSL 憑證。If you're using a custom domain, you also need to upload the SSL certificate for your application.

    注意

    最佳做法是盡可能使用自訂網域, 以獲得優化的使用者體驗。As a best practice, use custom domains whenever possible for an optimized user experience. 深入瞭解如何在 Azure AD 應用程式 Proxy 中使用自訂網域Learn more about Working with custom domains in Azure AD Application Proxy.

  2. 選取 [ Azure Active Directory ] 做為應用程式的 [預先驗證] 方法。Select Azure Active Directory as the Pre Authentication method for your application.

  3. 複製應用程式的外部 URLCopy the External URL for the application. 您將需要此 URL 才能完成 SAML 設定。You'll need this URL to complete the SAML configuration.

  4. 使用測試帳戶, 嘗試使用外部 URL開啟應用程式, 以驗證是否已正確設定應用程式 Proxy。Using the test account, try to open the application with the External URL to validate that Application Proxy is set up correctly. 如果有問題, 請參閱針對應用程式 Proxy 問題和錯誤訊息進行疑難排解If there are issues, see Troubleshoot Application Proxy problems and error messages.

更新 SAML 設定Update the SAML configuration

  1. 當應用程式仍在 Azure 入口網站中開啟時, 請選取 [單一登入]。With the application still open in the Azure portal, select Single sign-on.

  2. 在 [以SAML 設定單一登入] 頁面中, 移至 [基本 SAML設定] 標題, 然後選取其 [編輯] 圖示 (鉛筆)。In the Set up Single Sign-On with SAML page, go to the Basic SAML Configuration heading and select its Edit icon (a pencil). 您在 [應用程式 Proxy] 中設定的外部 URL會自動填入 [識別碼]、[回復 URL] 和 [登出 url ] 欄位。The External URL you configured in Application Proxy automatically populates the Identifier, Reply URL, and Logout URL fields. 請勿編輯這些 Url, 因為應用程式 Proxy 必須要有它們才能正常運作。Don't edit these URLs because they are required for Application Proxy to work correctly.

  3. 編輯稍早設定的回復 URL , 讓應用程式 Proxy 能夠連線其網域。Edit the Reply URL configured earlier so that its domain is reachable by Application Proxy. 例如, 如果您的外部 URLhttps://contosotravel-f128.msappproxy.net https://contosotravel.com/acs, 而原始的回復 url為, 則您必須將原始的回復 url更新https://contosotravel-f128.msappproxy.net/acs為。For example, if your External URL is https://contosotravel-f128.msappproxy.net and the original Reply URL was https://contosotravel.com/acs, you'll need to update the original Reply URL to https://contosotravel-f128.msappproxy.net/acs.

    輸入基本 SAML 設定資料

  4. 選取更新的回復 URL旁的核取方塊, 將它標示為預設值。Select the checkbox next to the updated Reply URL to mark it as the default.

    • 如果已列出必要的回復 url , 請將此回復 url標記為預設值, 並刪除先前設定的回復 urlIf the required Reply URL is already listed, mark this Reply URL as default and delete the previously configured Reply URL.

    • 若為 SP 起始的流程, 請確定後端應用程式指定了正確的回復 URL或判斷提示取用者服務 URL, 以接收驗證權杖。For an SP-initiated flow, make sure the back-end application specifies the correct Reply URL or Assertion Consumer Service URL for receiving the authentication token.

    注意

    如果後端應用程式預期回復 url為內部 URL, 您必須使用自訂網域來擁有相符的內部和外部 url, 或在使用者的裝置上安裝我的應用程式安全登入延伸模組。If the back-end application expects the Reply URL to be the Internal URL, you'll need to either use custom domains to have matching internal and external URLS or install the My Apps secure sign-in extension on users' devices. 此延伸模組會自動重新導向至適當的應用程式 Proxy 服務。This extension will automatically redirect to the appropriate Application Proxy Service. 若要安裝延伸模組, 請參閱我的應用程式安全登入延伸模組。To install the extension, see My Apps secure sign-in extension.

測試應用程式Test your app

當您完成所有這些步驟時,您的應用程式應該啟動並執行。When you've completed all these steps, your app should be up and running. 若要測試應用程式:To test the app:

  1. 開啟瀏覽器, 並流覽至您在發佈應用程式時所建立的外部 URLOpen a browser and navigate to the External URL that you created when you published the app.
  2. 使用您指派給應用程式的測試帳戶來登入。Sign in with the test account that you assigned to the app. 您應該能夠載入應用程式, 並將 SSO 放入應用程式中。You should be able to load the application and have SSO into the application.

後續步驟Next steps