設定密碼單一登入Configure password single sign-on

當您將資源庫應用程式非資源庫 web 應用程式新增至 Azure AD 企業應用程式時, 您可以使用的其中一個單一登入選項為 [密碼單一登入]。When you add a gallery app or a non-gallery web app to your Azure AD Enterprise Applications, one of the single sign-on options available to you is password-based single sign-on. 此選項適用于具有 HTML 登入頁面的任何 web。This option is available for any web with an HTML sign-in page. 密碼 SSO 也稱為密碼儲存庫存,可讓您管理使用者對不支援身分識別同盟之 Web 應用程式的存取和密碼。Password-based SSO, also referred to as password vaulting, enables you to manage user access and passwords to web applications that don't support identity federation. 這也適用于數個使用者需要共用單一帳戶的案例, 例如組織的社交媒體應用程式帳戶。It's also useful for scenarios where several users need to share a single account, such as to your organization's social media app accounts.

密碼型 SSO 是開始將應用程式整合到 Azure AD 快速的絕佳方式, 可讓您:Password-based SSO is a great way to get started integrating applications into Azure AD quickly, and allows you to:

  • 針對已經與 Azure AD 整合的應用程式,安全地儲存和重播使用者名稱和密碼,以啟用使用者的單一登入Enable Single Sign-on for your users by securely storing and replaying usernames and passwords for the application you’ve integrated with Azure AD

  • 針對需要使用者名稱和密碼以外的更多欄位才能登入的應用程式,支援需要多個登入欄位的應用程式Support applications that require multiple sign-in fields for applications that require more than just username and password fields to sign in

  • 針對使用者在應用程式存取面板輸入認證時所看到的使用者名稱和密碼輸入欄位,自訂標籤Customize the labels of the username and password input fields your users see on the Application Access Panel when they enter their credentials

  • 針對使用者應用程式存取面板手動輸入的任何現有應用程式帳戶,允許他們提供自己的使用者名稱和密碼Allow your users to provide their own usernames and passwords for any existing application accounts they are typing in manually on the Application Access Panel

  • 允許商務群組的成員使用自助應用程式存取功能,指定要指派給使用者的使用者名稱和密碼Allow a member of the business group to specify the usernames and passwords assigned to a user by using the Self-Service Application Access feature

  • 允許系統管理員在使用 [更新認證] 功能登入應用程式時, 指定個人或群組所要使用的使用者名稱和密碼Allow an administrator to specify a username and password to be used by individuals or groups when signing in to the application by using the Update Credentials feature

開始之前Before you begin

如果應用程式尚未新增至您的 Azure AD 租使用者, 請參閱新增資源庫應用程式新增不在資源庫中的應用程式。If the application hasn't been added to your Azure AD tenant, see Add a gallery app or Add a non-gallery app.

開啟應用程式, 然後選取 [密碼] [單一登入]Open the app and select password single sign-on

  1. 以雲端應用程式系統管理員或 Azure AD 租用戶的應用程式系統管理員身分登入 Azure 入口網站Sign in to the Azure portal as a cloud application admin, or an application admin for your Azure AD tenant.

  2. 流覽至Azure Active Directory > 企業應用程式Navigate to Azure Active Directory > Enterprise applications. Azure AD 租用戶中應用程式的隨機樣本隨即出現。A random sample of the applications in your Azure AD tenant appears.

  3. 在 [應用程式類型] 功能表中,選取 [所有應用程式],然後選取 [套用]。In the Application Type menu, select All applications, and then select Apply.

  4. 在 [搜尋] 方塊中輸入應用程式的名稱, 然後從結果中選取應用程式。Enter the name of the application in the search box, and then select the application from the results.

  5. 在 [管理] 區段中,選取 [單一登入]。Under the Manage section, select Single sign-on.

  6. 選取 [密碼型]。Select Password-based.

  7. 輸入應用程式網頁型登入頁面的 URL。Enter the URL of the application's web-based sign-in page. 這個字串必須是包含 [使用者名稱] 輸入欄位的頁面。This string must be the page that includes the username input field.

    密碼單一登入

  8. 選取 [ 儲存]。Select Save. Azure AD 嘗試剖析登入頁面的使用者名稱輸入和密碼輸入。Azure AD tries to parse the sign-in page for a username input and a password input. 如果嘗試成功, 就大功告成了。If the attempt succeeds, you're done.

注意

下一個步驟是將使用者或群組指派給應用程式Your next step is to Assign users or groups to the application. 指派使用者和群組之後, 您可以提供認證, 以在使用者登入應用程式時代表使用者使用。After you've assigned users and groups, you can provide credentials to be used on behalf of a user when they sign in to the application. 選取 [使用者和群組], 選取使用者或群組的資料列核取方塊, 然後按一下 [更新認證]。Select Users and groups, select the checkbox for the user's or group's row, and then click Update Credentials. 然後, 輸入要代表使用者或群組使用的使用者名稱和密碼。Then, enter the username and password to be used on behalf of the user or group. 否則, 系統會在啟動時提示使用者輸入認證。Otherwise, users will be prompted to enter the credentials themselves upon launch.

手動設定Manual configuration

如果 Azure AD 的剖析嘗試失敗, 您可以手動設定登入。If Azure AD's parsing attempt fails, you can configure sign-on manually.

  1. 在<應用程式名稱 > 設定 底下, 選取 設定<應用程式名稱 > 密碼 單一登入設定, 以顯示 設定登入 頁面。Under <application name> Configuration, select Configure <application name> Password Single Sign-on Settings to display the Configure sign-on page.

  2. 選取 [手動偵測登入欄位]。Select Manually detect sign-in fields. 說明如何手動偵測登入欄位的其他指示隨即出現。Additional instructions describing the manual detection of sign-in fields appear.

    手動設定密碼型單一登入

  3. 選取 [ Capture 登入欄位]。Select Capture sign-in fields. [捕捉狀態] 頁面會在新的索引標籤中開啟, 顯示訊息中繼資料捕捉目前正在進行中A capture status page opens in a new tab, showing the message metadata capture is currently in progress.

  4. 如果 [需要的存取面板延伸模組] 方塊出現在新的索引標籤中, 請選取 [立即安裝] 以安裝我的應用程式安全登入擴充功能瀏覽器延伸模組。If the Access Panel Extension Required box appears in a new tab, select Install Now to install the My Apps Secure Sign-in Extension browser extension. (瀏覽器擴充功能需要 Microsoft Edge、Chrome 或 Firefox)。然後安裝、啟動及啟用擴充功能, 並重新整理 [捕捉狀態] 頁面。(The browser extension requires Microsoft Edge, Chrome, or Firefox.) Then install, launch, and enable the extension, and refresh the capture status page.

    瀏覽器擴充功能接著會開啟另一個索引標籤, 顯示輸入的 URL。The browser extension then opens another tab that displays the entered URL.

  5. 在具有所輸入 URL 的索引標籤中, 完成登入程式。In the tab with the entered URL, go through the sign-in process. 填入 [使用者名稱] 和 [密碼] 欄位, 然後嘗試登入。Fill in the username and password fields, and try to sign in. (您不需要提供正確的密碼)。(You don't have to provide the correct password.)

    會出現提示, 要求您儲存已捕捉的登入欄位。A prompt asks you to save the captured sign-in fields.

  6. 選取 [確定]。Select OK. 瀏覽器延伸模組會以應用程式已更新的訊息中繼資料來更新 [捕捉狀態] 頁面。The browser extension updates the capture status page with the message Metadata has been updated for the application. [瀏覽器] 索引標籤隨即關閉。The browser tab closes.

  7. 在 [Azure AD設定登入] 頁面中, 選取 [確定], 我可以成功登入應用程式In the Azure AD Configure sign-on page, select Ok, I was able to sign-in to the app successfully.

  8. 選取 [確定]。Select OK.

在登入頁面的 capture 之後, 您可以指派使用者和群組, 而且您可以設定認證原則, 就像一般的密碼 SSO 應用程式一樣。After the capture of the sign-in page, you may assign users and groups, and you can set up credential policies just like regular password SSO applications.

注意

您可以在應用程式的 [設定] 索引標籤上使用 [上傳標誌] 按鈕,來上傳應用程式的圖格標誌。You can upload a tile logo for the application using the Upload Logo button on the Configure tab for the application.

後續步驟Next steps