使用應用程式 Proxy 與 PingAccess 的單一登入之標頭式驗證Header-based authentication for single sign-on with Application Proxy and PingAccess

Azure Active Directory (Azure AD)應用程式 Proxy 已與 PingAccess 合作,讓您的 Azure AD 客戶可以存取您的應用程式。Azure Active Directory (Azure AD) Application Proxy has partnered with PingAccess so that your Azure AD customers can access more of your applications. PingAccess 會展開現有應用程式 Proxy 供應項目以包含單一登入存取使用標頭進行驗證的應用程式。PingAccess expands the existing Application Proxy offerings to include single sign-on access to applications that use headers for authentication.

Azure AD 的 PingAccess 為何?What's PingAccess for Azure AD?

有了 Azure AD 的 PingAccess,您就可以將使用者存取和單一登入(SSO)授與使用標頭進行驗證的應用程式。With PingAccess for Azure AD, you can give users access and single sign-on (SSO) to applications that use headers for authentication. 應用程式 Proxy 會如同任何其他應用程式一樣處理這些應用程式,使用 Azure AD 驗證存取,然後透過連接器服務傳遞流量。Application Proxy treats these applications like any other, using Azure AD to authenticate access and then passing traffic through the connector service. PingAccess 位於應用程式前方,並將 Azure AD 的存取權杖轉譯為標頭。PingAccess sits in front of the applications and translates the access token from Azure AD into a header. 然後,應用程式會以可讀取的格式接收驗證。The application then receives the authentication in the format it can read.

使用者在登入使用您公司的應用程式時,將不會注意到什麼不同。Your users won’t notice anything different when they sign in to use your corporate applications. 這些還是可以在任何裝置上從任何地方運作。They can still work from anywhere on any device. 應用程式 Proxy 連接器會將遠端流量導向至所有應用程式,而不考慮其驗證類型,因此它們仍會自動平衡負載。The Application Proxy connectors direct remote traffic to all apps without regard to their authentication type, so they’ll still balance loads automatically.

如何取得存取權?How do I get access?

由於此案例來自 Azure Active Directory 和 PingAccess 之間的合作關係,因此您需要這兩種服務的授權。Since this scenario comes from a partnership between Azure Active Directory and PingAccess, you need licenses for both services. 不過,Azure Active Directory Premium 訂用帳戶所包含的基本 PingAccess 授權最多可涵蓋 20 個應用程式。However, Azure Active Directory Premium subscriptions include a basic PingAccess license that covers up to 20 applications. 如果您需要發佈 20 個以上的標頭應用程式,可以從 PingAccess 購買額外的授權。If you need to publish more than 20 header-based applications, you can purchase an additional license from PingAccess.

如需詳細資訊,請參閱 Azure Active Directory 版本For more information, see Azure Active Directory editions.

在 Azure 中發佈應用程式Publish your application in Azure

本文適用于第一次使用此案例來發行應用程式的人員。This article is for people to publish an application with this scenario for the first time. 除了詳述發佈步驟,它還會引導您開始使用應用程式 Proxy 和 PingAccess。Besides detailing the publishing steps, it guides you in getting started with both Application Proxy and PingAccess. 如果您已經設定這兩項服務,但想要重新整理髮行步驟,請跳至將您的應用程式新增至使用應用程式 Proxy Azure AD一節。If you’ve already configured both services but want a refresher on the publishing steps, skip to the Add your application to Azure AD with Application Proxy section.

注意

因為此案例是 Azure AD 和 PingAccess 之間的合作關係,有些指示存在於 Ping 身分識別站台。Since this scenario is a partnership between Azure AD and PingAccess, some of the instructions exist on the Ping Identity site.

安裝應用程式 Proxy 連接器Install an Application Proxy connector

如果您已啟用應用程式 Proxy 並已安裝連接器,則可以略過本節,並移至使用應用程式 Proxy 將您的應用程式新增至 Azure ADIf you've enabled Application Proxy enabled and installed a connector already, you can skip this section and go to Add your application to Azure AD with Application Proxy.

「應用程式 Proxy 連接器」是一種 Windows Server 服務,可將來自遠端員工的流量導向至已發佈的應用程式。The Application Proxy connector is a Windows Server service that directs the traffic from your remote employees to your published applications. 如需更詳細的安裝指示,請參閱教學課程:在 Azure Active Directory 中新增透過應用程式 Proxy 進行遠端存取的內部部署應用程式For more detailed installation instructions, see Tutorial: Add an on-premises application for remote access through Application Proxy in Azure Active Directory.

  1. 以應用程式系統管理員身分登入Azure Active Directory 入口網站Sign in to the Azure Active Directory portal as an application administrator. [ Azure Active Directory 系統管理中心] 頁面隨即出現。The Azure Active Directory admin center page appears.

  2. 選取 [ Azure Active Directory > 應用程式 proxy ] > [下載連接器服務]。Select Azure Active Directory > Application proxy > Download connector service. [應用程式 Proxy 連接器下載] 頁面隨即出現。The Application Proxy Connector Download page appears.

    應用程式 proxy 連接器下載

  3. 請遵循安裝指示。Follow the installation instructions.

下載連接器應該會自動啟用您目錄的應用程式 Proxy,但如果沒有,您可以選取 [啟用應用程式 proxy]。Downloading the connector should automatically enable Application Proxy for your directory, but if not, you can select Enable Application Proxy.

使用應用程式 Proxy 將您的應用程式新增至 Azure ADAdd your application to Azure AD with Application Proxy

您需要在 Azure 入口網站中採取兩個動作。There are two actions you need to take in the Azure portal. 首先,您必須使用應用程式 Proxy 發佈應用程式。First, you need to publish your application with Application Proxy. 然後,您需要收集一些關於應用程式的資訊,以供您在 PingAccess 步驟期間使用。Then, you need to collect some information about the application that you can use during the PingAccess steps.

發佈您的應用程式Publish your application

您必須先發佈應用程式。You'll first have to publish your application. 此動作包含:This action involves:

  • 將內部部署應用程式新增至 Azure ADAdding your on-premises application to Azure AD
  • 指派使用者來測試應用程式並選擇以標頭為基礎的 SSOAssigning a user for testing the application and choosing header-based SSO
  • 設定應用程式的重新導向 URLSetting up the application's redirect URL
  • 授與許可權給使用者和其他應用程式使用您的內部部署應用程式Granting permissions for users and other applications to use your on-premises application

若要發行您自己的內部部署應用程式:To publish your own on-premises application:

  1. 如果您不在上一節中,請以應用程式系統管理員身分登入Azure Active Directory 入口網站If you didn't in the last section, sign in to the Azure Active Directory portal as an application administrator.

  2. 選取 [企業應用程式] > 新的應用程式 > 新增內部部署應用程式Select Enterprise applications > New application > Add an on-premises application. [新增您自己的內部部署應用程式] 頁面隨即出現。The Add your own on-premises application page appears.

    新增您自己的內部部署應用程式

  3. 填寫必要的欄位,並提供新應用程式的相關資訊。Fill out the required fields with information about your new application. 請使用下列指導方針進行設定。Use the guidance below for the settings.

    注意

    如需此步驟的更詳細逐步解說,請參閱將內部部署應用程式新增至 Azure ADFor a more detailed walkthrough of this step, see Add an on-premises app to Azure AD.

    1. 內部 URL. 當您在公司網路上時,通常會提供 URL 以帶您前往應用程式的登入頁面。Internal URL: Normally you provide the URL that takes you to the app’s sign-in page when you’re on the corporate network. 針對此案例,連接器需要將 PingAccess proxy 視為應用程式的首頁。For this scenario, the connector needs to treat the PingAccess proxy as the front page of the application. 使用此格式︰https://<host name of your PingAccess server>:<port>Use this format: https://<host name of your PingAccess server>:<port>. 連接埠預設為 3000,但您可以在 PingAccess 中設定它。The port is 3000 by default, but you can configure it in PingAccess.

      警告

      針對這種類型的單一登入,內部 URL 必須使用 https,而且不能使用 httpFor this type of single sign-on, the internal URL must use https and can't use http.

    2. 預先驗證方法:選擇 [ Azure Active Directory]。Pre-authentication method: Choose Azure Active Directory.

    3. 轉譯標頭中的 URL:選擇 []。Translate URL in Headers: Choose No.

    注意

    如果這是您的第一個應用程式,請在變更 PingAccess 設定時,使用連接埠 3000 啟動並返回以更新這項設定。If this is your first application, use port 3000 to start and come back to update this setting if you change your PingAccess configuration. 針對後續的應用程式,埠必須符合您在 PingAccess 中設定的接聽程式。For subsequent applications, the port will need to match the Listener you’ve configured in PingAccess. 深入了解 PingAccess 中的接聽程式Learn more about listeners in PingAccess.

  4. 選取 [新增]。Select Add. 新應用程式的 [總覽] 頁面隨即出現。The overview page for the new application appears.

現在指派應用程式測試的使用者,然後選擇標頭型單一登入:Now assign a user for application testing and choose header-based single sign-on:

  1. 從 [應用程式] 提要欄位中,選取 [使用者和群組] > 新增使用者 > 使用者和群組(> 選取<號碼)From the application sidebar, select Users and groups > Add user > Users and groups (<Number> Selected). 隨即顯示使用者和群組的清單,供您選擇。A list of users and groups appears for you to choose from.

    顯示使用者和群組的清單

  2. 選取要進行應用程式測試的使用者,然後選取 [選取]。Select a user for application testing, and select Select. 請確定此測試帳戶可存取內部部署應用程式。Make sure this test account has access to the on-premises application.

  3. 選取 [指派]。Select Assign.

  4. 從 [應用程式] 提要欄位中,選取 [單一登入] > [標頭型]。From the application sidebar, select Single sign-on > Header-based.

    提示

    如果這是您第一次使用標頭式單一登入,您需要安裝 PingAccess。If this is your first time using header-based single sign-on, you need to install PingAccess. 若要確定您的 Azure 訂用帳戶會與 PingAccess 安裝自動產生關聯,請使用此單一登入頁面上的連結來下載 PingAccess。To make sure your Azure subscription is automatically associated with your PingAccess installation, use the link on this single sign-on page to download PingAccess. 您現在可以開啟下載網站,或稍後返回此頁面。You can open the download site now, or come back to this page later.

    顯示以標頭為基礎的登入畫面和 PingAccess

  5. 選取 [儲存]。Select Save.

然後,請確定您的 [重新導向 URL] 已設定為您的外部 URL:Then make sure your redirect URL is set to your external URL:

  1. Azure Active Directory 系統管理中心 提要欄位中,選取 Azure Active Directory > 應用程式註冊From the Azure Active Directory admin center sidebar, select Azure Active Directory > App registrations. 應用程式清單隨即出現。A list of applications appears.
  2. 選取您的應用程式。Select your application.
  3. 選取 [重新導向 uri] 旁的連結,顯示針對 web 和公用用戶端所設定的重新導向 uri 數目。Select the link next to Redirect URIs, showing the number of redirect URIs set up for web and public clients. [ <應用程式名稱 >-驗證] 頁面隨即出現。The <application name> - Authentication page appears.
  4. 檢查您稍早指派給應用程式的外部 URL 是否位於 [重新導向 uri ] 清單中。Check whether the external URL that you assigned to your application earlier is in the Redirect URIs list. 如果不是,請立即新增外部 URL,使用Web的重新導向 URI 類型,然後選取 [儲存]。If it isn't, add the external URL now, using a redirect URI type of Web, and select Save.

最後,設定您的內部部署應用程式,讓使用者擁有讀取存取權,而其他應用程式則具有讀取/寫入權限:Finally, set up your on-premises application so that users have read access and other applications have read/write access:

  1. 從應用程式的 [應用程式註冊] 提要欄位中,選取 [ API 許可權] > > Microsoft api > Microsoft Graph新增許可權From the App registrations sidebar for your application, select API permissions > Add a permission > Microsoft APIs > Microsoft Graph. Microsoft Graph的 [要求 API 許可權] 頁面隨即出現,其中包含適用于 Windows Azure Active Directory 的 api。The Request API permissions page for Microsoft Graph appears, which contains the APIs for Windows Azure Active Directory.

    顯示 [要求 API 許可權] 頁面

  2. 選取 委派的許可權 > 使用者 > 使用者. 讀取Select Delegated permissions > User > User.Read.

  3. 選取應用程式 > 應用程式 > 應用程式許可權Select Application permissions > Application > Application.ReadWrite.All.

  4. 選取 [新增許可權]。Select Add permissions.

  5. 在 [ API 許可權] 頁面中,選取 [授與系統管理員同意] <您的目錄名稱 >In the API permissions page, select Grant admin consent for <your directory name>.

收集 PingAccess 步驟的資訊Collect information for the PingAccess steps

您必須收集這三項資訊(所有 Guid),才能使用 PingAccess 來設定您的應用程式:You need to collect these three pieces of information (all GUIDs) to set up your application with PingAccess:

Azure AD 欄位的名稱Name of Azure AD field PingAccess 欄位的名稱Name of PingAccess field 資料格式Data format
應用程式 (用戶端) 識別碼Application (client) ID 用戶端識別碼Client ID GUIDGUID
目錄 (租用戶) 識別碼Directory (tenant) ID 簽發Issuer GUIDGUID
PingAccess key 用戶端祕密Client Secret 隨機字串Random string

若要收集此資訊:To collect this information:

  1. Azure Active Directory 系統管理中心 提要欄位中,選取 Azure Active Directory > 應用程式註冊From the Azure Active Directory admin center sidebar, select Azure Active Directory > App registrations. 應用程式清單隨即出現。A list of applications appears.

  2. 選取您的應用程式。Select your application. 應用程式的 [應用程式註冊] 頁面隨即出現。The App registrations page for your application appears.

    應用程式的註冊總覽

  3. 在 [應用程式(用戶端)識別碼] 值旁,選取 [複製到剪貼簿] 圖示,然後複製並儲存它。Next to the Application (client) ID value, select the Copy to clipboard icon, then copy and save it. 您稍後可以將此值指定為 PingAccess 的用戶端識別碼。You specify this value later as PingAccess's client ID.

  4. 接著在 [目錄(租使用者)識別碼] 值中,選取 [複製到剪貼簿],然後複製並儲存。Next the Directory (tenant) ID value, also select Copy to clipboard, then copy and save it. 您稍後會將此值指定為 PingAccess 的簽發者。You specify this value later as PingAccess's issuer.

  5. 從應用程式的 應用程式註冊 提要欄位中,選取 憑證和秘密 > 新的用戶端密碼From the sidebar of the App registrations for your application, select Certificates and secrets > New client secret. [新增用戶端密碼] 頁面隨即出現。The Add a client secret page appears.

    顯示 [新增用戶端密碼] 頁面

  6. 在 [描述] 中,輸入 PingAccess keyIn Description, type PingAccess key.

  7. 在 [到期日] 底下,選擇設定 PingAccess 金鑰的方式: 1 年2 年永不Under Expires, choose how to set the PingAccess key: In 1 year, In 2 years, or Never.

  8. 選取 [新增]。Select Add. PingAccess 索引鍵會出現在用戶端密碼的資料表中,並在 [] 欄位中會自動填入一個隨機字串。The PingAccess key appears in the table of client secrets, with a random string that autofills in the VALUE field.

  9. 在 [PingAccess] 索引鍵的 [] 欄位旁,選取 [複製到剪貼簿] 圖示,然後複製並儲存它。Next to the PingAccess key's VALUE field, select the Copy to clipboard icon, then copy and save it. 您稍後可以將此值指定為 PingAccess 的用戶端密碼。You specify this value later as PingAccess's client secret.

更新 GraphAPI 以傳送自訂欄位(選擇性)Update GraphAPI to send custom fields (optional)

如果您需要在 PingAccess 使用的 access_token 內傳送其他權杖的自訂宣告,請將 acceptMappedClaims 應用程式欄位設定為 TrueIf you need a custom claim that sends other tokens within the access_token consumed by PingAccess, set the acceptMappedClaims application field to True. 您可以使用 [圖形瀏覽器] 或 Azure AD 入口網站的應用程式資訊清單來進行這種變更。You can use Graph Explorer or the Azure AD portal's application manifest to make this change.

這個範例會使用 [圖形瀏覽器]:This example uses Graph Explorer:

PATCH https://graph.windows.net/myorganization/applications/<object_id_GUID_of_your_application>

{
  "acceptMappedClaims":true
}

這個範例會使用Azure Active Directory 入口網站來更新 [acceptMappedClaims] 欄位:This example uses the Azure Active Directory portal to update the acceptMappedClaims field:

  1. 以應用程式系統管理員身分登入Azure Active Directory 入口網站Sign in to the Azure Active Directory portal as an application administrator.
  2. 選取 [Azure Active Directory] > [應用程式註冊]。Select Azure Active Directory > App registrations. 應用程式清單隨即出現。A list of applications appears.
  3. 選取您的應用程式。Select your application.
  4. 從應用程式的 [應用程式註冊] 頁面的提要欄位中,選取 [資訊清單]。From the sidebar of the App registrations page for your application, select Manifest. 應用程式註冊的資訊清單 JSON 程式碼隨即出現。The manifest JSON code for your application's registration appears.
  5. 搜尋 [acceptMappedClaims] 欄位,並將值變更為 [True]。Search for the acceptMappedClaims field, and change the value to True.
  6. 選取 [儲存]。Select Save.

使用選擇性宣告(選擇性)Use of optional claims (optional)

選擇性宣告可讓您新增每個使用者和租使用者都具有的標準-但不包含預設的宣告。Optional claims allows you to add standard-but-not-included-by-default claims that every user and tenant has. 您可以藉由修改應用程式資訊清單,為您的應用程式設定選擇性宣告。You can configure optional claims for your application by modifying the application manifest. 如需詳細資訊,請參閱瞭解 Azure AD 應用程式資訊清單一文For more info, see the Understanding the Azure AD application manifest article

在 PingAccess 將使用的 access_token 中包含電子郵件地址的範例:Example to include email address into the access_token that PingAccess will consume:

    "optionalClaims": {
        "idToken": [],
        "accessToken": [
            {
                "name": "email",
                "source": null,
                "essential": false,
                "additionalProperties": []
            }
        ],
        "saml2Token": []
    },

使用宣告對應原則(選擇性)Use of claims mapping policy (optional)

AzureAD 中不存在之屬性的宣告對應原則(預覽)Claims Mapping Policy (preview) for attributes which do not exist in AzureAD. 宣告對應可讓您藉由新增 ADFS 或使用者物件所支援的其他自訂宣告,將舊的內部內部部署應用程式遷移至雲端Claims mapping allows you to migrate old on-prem apps to the cloud by adding additional custom claims that are backed by your ADFS or user objects

若要讓您的應用程式使用自訂宣告並包含額外的欄位,請確定您也已建立自訂宣告對應原則,並將其指派給應用程式To make your application use a custom claim and include additional fields, be sure you've also created a custom claims mapping policy and assigned it to the application.

注意

若要使用自訂宣告,您必須已定義自訂原則且已指派給應用程式。To use a custom claim, you must also have a custom policy defined and assigned to the application. 此原則應包含所有必要的自訂屬性。This policy should include all required custom attributes.

您可以透過 PowerShell、Azure AD Graph Explorer 或 Microsoft Graph 來執行原則定義和指派。You can do policy definition and assignment through PowerShell, Azure AD Graph Explorer, or Microsoft Graph. 如果您是在 PowerShell 中執行,您可能需要先使用 New-AzureADPolicy,然後將它指派給具有 Add-AzureADServicePrincipalPolicy的應用程式。If you're doing them in PowerShell, you may need to first use New-AzureADPolicy and then assign it to the application with Add-AzureADServicePrincipalPolicy. 如需詳細資訊,請參閱宣告對應原則指派For more information, see Claims mapping policy assignment.

範例:Example:

$pol = New-AzureADPolicy -Definition @('{"ClaimsMappingPolicy":{"Version":1,"IncludeBasicClaimSet":"true", "ClaimsSchema": [{"Source":"user","ID":"employeeid","JwtClaimType":"employeeid"}]}}') -DisplayName "AdditionalClaims" -Type "ClaimsMappingPolicy"

Add-AzureADServicePrincipalPolicy -Id "<<The object Id of the Enterprise Application you published in the previous step, which requires this claim>>" -RefObjectId $pol.Id

啟用 PingAccess 以使用自訂宣告Enable PingAccess to use custom claims

啟用 PingAccess 以使用自訂宣告是選擇性的,但如果您預期應用程式會取用額外的宣告,則為必要。Enabling PingAccess to use custom claims is optional, but required if you expect the application to consume additional claims.

當您在下列步驟中設定 PingAccess 時,您將建立的 Web 會話(設定 > 的存取 > Web 會話)必須取消選取要求設定檔,並將 [使用者屬性] 設定為 []When you will configure PingAccess in the following step, the Web Session you will create (Settings->Access->Web Sessions) must have Request Profile deselected and Refresh User Attributes set to No

下載 PingAccess 並設定您的應用程式Download PingAccess and configure your application

現在您已完成所有的 Azure Active Directory 安裝步驟,可以移至設定 PingAccess。Now that you've completed all the Azure Active Directory setup steps, you can move on to configuring PingAccess.

此案例中 PingAccess 部分的詳細步驟會繼續在 Ping 身分識別檔中進行。The detailed steps for the PingAccess part of this scenario continue in the Ping Identity documentation. 依照 Configure PingAccess for Azure AD 中的指示,保護在 Ping 身分識別網站上使用 Microsoft Azure AD 應用程式 Proxy 發行的應用程式Follow the instructions in Configure PingAccess for Azure AD to protect applications published using Microsoft Azure AD Application Proxy on the Ping Identity web site.

這些步驟可協助您安裝 PingAccess,並設定 PingAccess 帳戶(如果還沒有的話)。Those steps help you install PingAccess and set up a PingAccess account (if you don't already have one). 然後,若要建立 Azure AD OpenID Connect (OIDC)連線,您可以使用您從 Azure AD 入口網站複製的目錄(租使用者)識別碼值來設定權杖提供者。Then, to create an Azure AD OpenID Connect (OIDC) connection, you set up a token provider with the Directory (tenant) ID value that you copied from the Azure AD portal. 接下來,若要在 PingAccess 上建立 web 會話,請使用應用程式(用戶端)識別碼PingAccess key 值。Next, to create a web session on PingAccess, you use the Application (client) ID and PingAccess key values. 之後,您可以設定身分識別對應,並建立虛擬主機、網站和應用程式。After that, you can set up identity mapping and create a virtual host, site, and application.

測試您的應用程式Test your application

當您完成所有這些步驟時,您的應用程式應該會啟動並執行。When you've completed all these steps, your application should be up and running. 若要進行測試,請開啟瀏覽器,然後流覽至您在 Azure 中發佈應用程式時所建立的外部 URL。To test it, open a browser and navigate to the external URL that you created when you published the application in Azure. 使用您指派給應用程式的測試帳戶登入。Sign in with the test account that you assigned to the application.

後續步驟Next steps