Azure Active Directory 中的單一登入應用程式Single sign-on to applications in Azure Active Directory

當使用者登入 Azure Active Directory (Azure AD) 中的應用程式時,單一登入 (SSO) 可增加安全性及便利性。Single sign-on (SSO) adds security and convenience when users sign-on to applications in Azure Active Directory (Azure AD). 本文描述單一登入方法,並協助您在設定應用程式時,選擇最適當的 SSO 方法。This article describes the single sign-on methods, and helps you choose the most appropriate SSO method when configuring your applications.

  • 使用單一登入,使用者使用一個帳戶登入一次,就能存取已加入網域的裝置、公司資源、軟體即服務 (SaaS) 應用程式和 Web 應用程式。With single sign-on, users sign in once with one account to access domain-joined devices, company resources, software as a service (SaaS) applications, and web applications. 登入之後,使用者可以從 Office 365 入口網站或 Azure AD MyApps 存取面板啟動應用程式。After signing in, the user can launch applications from the Office 365 portal or the Azure AD MyApps access panel. 系統管理員可將使用者帳戶集中管理,並根據群組成員資格自動新增或移除使用者的應用程式存取權。Administrators can centralize user account management, and automatically add or remove user access to applications based on group membership.

  • 沒有單一登入,使用者必須記住應用程式特定的密碼並登入每個應用程式。Without single sign-on, users must remember application-specific passwords and sign in to each application. IT 人員需要針對每個應用程式 (如 Office 365、Box 和 Salesforce) 建立及更新使用者帳戶。IT staff needs to create and update user accounts for each application such as Office 365, Box, and Salesforce. 使用者需要記住其密碼,還要花費時間登入每個應用程式。Users need to remember their passwords, plus spend the time to sign in to each application.

選擇單一登入方法Choosing a single sign-on method

有幾種方式可以為應用程式設定單一登入。There are several ways to configure an application for single sign-on. 選擇單一登入方法會取決於為應用程式設定的驗證方式。Choosing a single sign-on method depends on how the application is configured for authentication.

  • 雲端應用程式可以使用OpenID Connect、OAuth、SAML、密碼式、已連結或已停用方法進行單一登入。Cloud applications can use OpenID Connect, OAuth, SAML, password-based, linked, or disabled methods for single sign-on.
  • 內部部署應用程式可以使用密碼式、整合式 Windows 驗證、標頭式、已連結或已停用方法進行單一登入。On-premises applications can use password-based, Integrated Windows Authentication, header-based, linked, or disabled methods for single sign-on. 當應用程式已設定應用程式 Proxy 時,內部部署選擇就可運作。The on-premises choices work when applications are configured for Application Proxy.

此流程圖可協助您決定哪一種單一登入方法最適合您的情況。This flowchart helps you decide which single sign-on method is best for your situation.

單一登入方法的決策流程圖

下表摘要說明單一登入方法,並提供更多詳細資料的連結。The following table summarizes the single sign-on methods, and links to more details.

單一登入方法Single sign-on method 應用程式類型Application types 使用時機When to use
OpenID Connect 和 OAuthOpenID Connect and OAuth 僅限雲端cloud only 開發新的應用程式時,請使用 OpenID Connect 和 OAuth。Use OpenID Connect and OAuth when developing a new application. 此通訊協定可簡化應用程式設定、具備容易使用的 SDK,而且可讓您的應用程式使用 MS Graph。This protocol simplifies application configuration, has easy-to-use SDKs, and enables your application to use MS Graph.
SAMLSAML 雲端和內部部署cloud and on-premises 請盡可能為不使用 OpenID Connect 或 OAuth 的現有應用程式選擇 SAML。Choose SAML whenever possible for existing applications that do not use OpenID Connect or OAuth. SAML 適用於使用其中一個 SAML 通訊協定進行驗證的應用程式。SAML works for applications that authenticate using one of the SAML protocols.
密碼式Password-based 雲端和內部部署cloud and on-premises 當應用程式使用使用者名稱和密碼進行驗證時,請選擇密碼式。Choose password-based when the application authenticates with username and password. 密碼式單一登入可以使用網頁瀏覽器擴充功能或行動應用程式,安全儲存應用程式的密碼以及重新執行。Password-based single sign-on enables secure application password storage and replay using a web browser extension or mobile app. 此方法會使用應用程式提供的現有登入程序,但讓系統管理員可以管理密碼。This method uses the existing sign-in process provided by the application, but enables an administrator to manage the passwords.
已連結Linked 雲端和內部部署cloud and on-premises 當應用程式設定為在另一個身分識別提供者服務中進行單一登入時, 請選擇 [連結的登入]。Choose linked sign-on when the application is configured for single sign-on in another identity provider service. 此選項不會將單一登入新增至應用程式。This option doesn't add single sign-on to the application. 不過,應用程式可能已經使用另一個服務 (例如 Active Directory 同盟服務) 來實作單一登入。However, the application might already have single sign-on implemented using another service such as Active Directory Federation Services.
DisabledDisabled 雲端和內部部署cloud and on-premises 當應用程式尚未準備好設定單一登入時,請選擇已停用的單一登入。Choose disabled single sign-on when the app isn't ready to be configured for single sign-on. 使用者每次啟動此應用程式時,都需要輸入其使用者名稱和密碼。Users need to enter their username and password every time they launch this application.
整合式 Windows 驗證 (IWA)Integrated Windows Authentication (IWA) 僅內部部署on-premises only 請針對使用整合式 Windows 驗證 (IWA) 的應用程式或宣告感知的應用程式,選擇 IWA 單一登入。Choose IWA single sign-on for applications that use Integrated Windows Authentication (IWA), or claims-aware applications. 至於 IWA,應用程式 Proxy 連接器會使用 Kerberos 限制委派 (KCD) 來向應用程式驗證使用者。For IWA, the Application Proxy connectors use Kerberos Constrained Delegation (KCD) to authenticate users to the application.
標頭式Header-based 僅內部部署on-premises only 當應用程式是使用標頭進行驗證時,請使用標頭式單一登入。Use header-based single sign-on when the application uses headers for authentication. 標頭式單一登入需要適用於 Azure AD 的 PingAccess。Header-based single sign-on requires PingAccess for Azure AD. 應用程式 Proxy 會使用 Azure AD 來驗證使用者,然後透過連接器服務傳遞流量。Application Proxy uses Azure AD to authenticate the user and then passes traffic through the connector service.

OpenID Connect 和 OAuthOpenID Connect and OAuth

在開發新的應用程式時,請使用 OpenID Connect 和 OAuth 等新式通訊協定,來為應用程式實現跨多個裝置平台的最佳單一登入體驗。When developing new applications, use modern protocols like OpenID Connect and OAuth to achieve the best single sign-on experience for your app across multiple device platforms. OAuth 可讓使用者或系統管理員對受保護的資源 (例如Microsoft Graph)授與同意OAuth enables users or admins to grant consent for protected resources like Microsoft Graph. 我們為您的應用程式提供容易採用的sdk , 此外, 您的應用程式也可供使用Microsoft GraphWe provide easy to adopt SDKs for your app, and additionally, your app will be ready to use Microsoft Graph.

如需詳細資訊,請參閱:For more information, see:

SAML SSOSAML SSO

使用 SAML 單一登入,Azure AD 會使用使用者的 Azure AD 帳戶向應用程式驗證。With SAML single sign-on, Azure AD authenticates to the application by using the user's Azure AD account. Azure AD 與應用程式透過連線通訊協定,進行登入資訊通訊。Azure AD communicates the sign-on information to the application through a connection protocol. 使用 SAML 單一登入時,您可以根據您在 SAML 宣告中定義的規則,將使用者對應至特定的應用程式角色。With SAML-based single sign-on, you can map users to specific application roles based on rules you define in your SAML claims.

如果應用程式支援,請選擇 SAML 型單一登入。Choose SAML-based single sign-on when the application supports it.

使用以下任一個通訊協定的應用程式都支援 SAML 式單一登入:SAML-based single sign-on is supported for applications that use any of these protocols:

  • SAML 2.0SAML 2.0
  • WS-同盟WS-Federation

若要設定 SAML 型單一登入的 SaaS 應用程式, 請參閱設定 saml 型單一登入To configure a SaaS application for SAML-based single sign-on, see Configure SAML-based single sign-on. 此外,許多軟體即服務 (SaaS) 應用程式的應用程式專屬教學課程,可逐步引導您設定 SAML 型單一登入。Also, many Software as a Service (SaaS) applications have an application-specific tutorial that step you through the configuration for SAML-based single sign-on.

若要設定 WS-同盟的應用程式, 請遵循相同的指導方針來設定 SAML 型單一登入的應用程式, 請參閱設定 saml 型單一登入To configure an application for WS-Federation, follow the same guidance to configure application for SAML-based single sign-on, see Configure SAML-based single sign-on. 在將應用程式設定為使用 Azure AD 的步驟中, 您必須取代 WS-同盟端點https://login.microsoftonline.com/<tenant-ID>/wsfed的 AZURE AD 登入 URL。In the step to configure the application to use Azure AD, you will need to replace the Azure AD login URL for the WS-Federation end-point https://login.microsoftonline.com/<tenant-ID>/wsfed.

若要設定 SAML 型單一登入的內部部署應用程式, 請參閱使用應用程式 Proxy 進行內部部署應用程式的 SAML 單一登入To configure an on-premises application for SAML-based single sign-on, see SAML single-sign-on for on-premises applications with Application Proxy.

如需有關 SAML 通訊協定的詳細資訊,請參閱單一登入 SAML 通訊協定For more information about the SAML protocol, see Single sign-on SAML protocol.

密碼式 SSOPassword-based SSO

若使用密碼式登入,使用者在第一次存取應用程式時,要以使用者名稱和密碼登入應用程式。With password-based sign-on, users sign on to the application with a username and password the first time they access it. 第一次登入之後,Azure AD 就會向應用程式提供使用者名稱和密碼。After the first sign-on, Azure AD supplies the username and password to the application.

密碼式單一登入使用應用程式所提供的現有驗證程序。Password-based single sign-on uses the existing authentication process provided by the application. 當您為應用程式啟用密碼單一登入時,Azure AD 會收集應用程式的使用者名稱和密碼,並安全地儲存。When you enable password single sign-on for an application, Azure AD collects and securely stores user names and passwords for the application. 使用者認證會以加密的狀態儲存在目錄中。User credentials are stored in an encrypted state in the directory.

選擇密碼式單一登入的時機:Choose password-based single sign-on when:

  • 應用程式不支援 SAML 單一登入通訊協定。An application doesn't support SAML single sign-on protocol.
  • 應用程式使用使用者名稱和密碼進行驗證,而不是使用存取權杖和標頭。An application authenticates with a username and password instead of access tokens and headers.

有 HTML 型登入頁面的雲端應用程式支援密碼式單一登入。Password-based single sign-on is supported for any cloud-based application that has an HTML-based sign-in page. 使用者可以使用下列任何瀏覽器:The user can use any of the following browsers:

  • Windows 7 上的 Internet Explorer 11 或更新版本Internet Explorer 11 on Windows 7 or later

    注意

    Internet Explorer 的支援有限,且不會再收到新的軟體更新。Internet Explorer is on limited support and no longer receives new software updates. Microsoft Edge 是建議使用的瀏覽器。Microsoft Edge is the recommended browser.

  • Windows 10 Anniversary Edition 或更新版本上的 Microsoft EdgeMicrosoft Edge on Windows 10 Anniversary Edition or later

  • 在 Windows 7 或更新版本,和在 MacOS X 或更新版本上的 ChromeChrome on Windows 7 or later, and on MacOS X or later

  • 在 Windows XP SP2 或更新版本,和在 Mac OS X 10.6 或更新版本上的 Firefox 26.0 或更新版本Firefox 26.0 or later on Windows XP SP2 or later, and on Mac OS X 10.6 or later

若要設定雲端應用程式以進行密碼型單一登入, 請參閱設定密碼單一登入To configure an cloud application for password-based single sign-on, see Configure password single sign-on.

若要為內部部署應用程式設定透過應用程式 Proxy 的單一登入,請參閱使用應用程式 Proxy 之單一登入的密碼保存庫To configure an on-premises application for single sign-on through Application Proxy, see Password vaulting for single sign-on with Application Proxy

密碼式 SSO 驗證的運作方式How authentication works for password-based SSO

為了向應用程式驗證使用者,Azure AD 會從目錄擷取使用者的認證,並將它們輸入應用程式的登入頁面。To authenticate a user to an application, Azure AD retrieves the user's credentials from the directory and enters them into the application's sign-on page. Azure AD 透過網頁瀏覽器擴充功能或行動裝置應用程式,安全地傳遞使用者認證。Azure AD securely passes the user credentials via a web browser extension or mobile app. 此程序可讓系統管理員管理使用者認證,而且使用者不需要記住其密碼。This process enables an administrator to manage user credentials, and doesn't require users to remember their password.

重要

在自動登入程序期間,系統會對使用者模糊處理認證。The credentials are obfuscated from the user during the automated sign-on process. 不過,使用 Web 偵錯工具可以探索認證。However, the credentials are discoverable by using web-debugging tools. 使用者和系統管理員需要遵循相同的安全性原則,如同認證是直接由使用者輸入一般。Users and administrators need to follow the same security policies as if credentials were entered directly by the user.

管理密碼式 SSO 的認證Managing credentials for password-based SSO

每個應用程式的密碼可由 Azure AD 系統管理員或使用者來管理。Passwords for each application can either be managed by the Azure AD administrator or by the users.

當 Azure AD 系統管理員管理認證時:When the Azure AD administrator manages the credentials:

  • 使用者不需要重設或記得使用者名稱和密碼。The user doesn't need to reset or remember the user name and password. 使用者可以在其存取面板中按一下應用程式,或透過提供的連結來存取應用程式。The user can access the application by clicking on it in their access panel or via a provided link.
  • 系統管理員可以對認證執行管理工作。The administrator can do management tasks on the credentials. 例如,系統管理員可以根據使用者群組成員資格和員工狀態,來更新應用程式的存取。For example, the administrator can update application access according to user group memberships and employee status.
  • 系統管理員可以使用系統管理認證,提供在許多使用者間共用之應用程式的存取權。The administrator can use administrative credentials to provide access to applications shared among many users. 例如,系統管理員可以允許能存取某個應用程式許的每個人,都能存取某個社交媒體或文件共用應用程式。For example, the administrator can allow everyone who can access an application to have access to a social media or document sharing application.

當使用者管理認證時:When the end user manages the credentials:

  • 使用者可以管理他們的密碼,視需要更新或刪除它們。Users can manage their passwords by updating or deleting them as needed.
  • 系統管理員仍可設定應用程式的新認證。Administrators are still able to set new credentials for the application.

連結型登入Linked sign-on

已連結的登入可讓 Azure AD 對已在其他服務設定單一登入的應用程式提供單一登入。Linked sign-on enables Azure AD to provide single sign-on to an application that is already configured for single sign-on in another service. 已連結的應用程式可以在 Office 365 入口網站或 Azure AD MyApps 入口網站中向使用者顯示。The linked application can appear to end users in the Office 365 portal or Azure AD MyApps portal. 例如,使用者可以從 Office 365 入口網站啟動已在 Active Directory Federation Services 2.0 (AD FS) 中設定單一登入的應用程式。For example, a user can launch an application that is configured for single sign-on in Active Directory Federation Services 2.0 (AD FS) from the Office 365 portal. 從 Office 365 入口網站或 Azure AD MyApps 入口網站啟動的已連結的應用程式也可以取得其他報告。Additional reporting is also available for linked applications that are launched from the Office 365 portal or the Azure AD MyApps portal. 若要設定應用程式以進行連結的登入, 請參閱設定連結的登入。To configure an application for linked sign-on, see Configure linked sign-on.

應用程式遷移的連結登入Linked sign-on for application migration

當您在一段時間內遷移應用程式時, 連結的登入可以提供一致的使用者體驗。Linked sign-on can provide a consistent user experience while you migrate applications over a period of time. 如果您要將應用程式遷移至 Azure Active Directory, 您可以使用連結的登入, 快速地將連結發佈到您想要遷移的所有應用程式。If you're migrating applications to Azure Active Directory, you can use linked sign-on to quickly publish links to all the applications you intend to migrate. 使用者可以在 MyApps 入口網站Office 365 應用程式啟動器中找到所有連結。Users can find all the links in the MyApps portal or the Office 365 application launcher. 使用者不會知道他們存取的是已連結的應用程式或已移轉的應用程式。Users won't know they're accessing a linked application or a migrated application.

使用者與連結的應用程式驗證之後,需要先建立帳戶記錄,系統才會提供使用者單一登入存取權。Once a user has authenticated with a linked application, an account record needs to be created before the end user is provided single sign-on access. 佈建此帳戶記錄可以是自動執行,或是由系統管理員手動執行。Provisioning this account record can either occur automatically, or it can occur manually by an administrator.

已停用的 SSODisabled SSO

停用模式表示單一登入不會用於該應用程式。Disabled mode means single sign-on isn't used for the application. 當單一登入停用時,使用者可能需要驗證兩次。When single sign-on is disabled, users might need to authenticate twice. 首先,使用者向 Azure AD 驗證,然後再登入應用程式。First, users authenticate to Azure AD, and then they sign in to the application.

使用已停用的單一登入模式:Use disabled single sign-on mode:

  • 如果您尚未準備好將此應用程式與 Azure AD 單一登入整合,或If you're not ready to integrate this application with Azure AD single sign-on, or
  • 如果您在測試應用程式的其他層面,或If you're testing other aspects of the application, or
  • 作為不需要使用者進行驗證之內部部署應用程式的一層安全性。As a layer of security to an on-premises application that doesn't require users to authenticate. 停用之後,使用者需要進行驗證。With disabled, the user needs to authenticate.

整合式 Windows 驗證 (IWA) SSOIntegrated Windows Authentication (IWA) SSO

應用程式 Proxy 會對使用整合式 Windows 驗證 (IWA) 的應用程式,或宣告感知應用程式提供單一登入 (SSO)。Application Proxy provides single sign-on (SSO) to applications that use Integrated Windows Authentication (IWA), or claims-aware applications. 如果您的應用程式使用 IWA,則應用程式 Proxy 會使用 Kerberos 限制委派 (KCD) 來驗證應用程式。If your application uses IWA, Application Proxy authenticates to the application by using Kerberos Constrained Delegation (KCD). 對於信任 Azure Active Directory 的宣告感知應用程式,因為使用者已由 Azure AD 驗證,所以可以使用單一登入。For a claims-aware application that trusts Azure Active Directory, single sign-on works because the user was already authenticated by using Azure AD.

選擇 [整合式 Windows 驗證單一登入模式], 為使用 IWA 驗證的內部部署應用程式提供單一登入。Choose Integrated Windows Authentication single sign-on mode to provide single sign-on to an on-premises app that authenticates with IWA.

為內部部署應用程式設定 IWA,請參閱適用於單一登入使用應用程式 Proxy 之應用程式的 Kerberos 限制委派To configure an on-premises app for IWA, see Kerberos Constrained Delegation for single sign-on to your applications with Application Proxy.

使用 KCD 單一登入的運作方式How single sign-on with KCD works

此圖表說明使用者存取採用 IWA 之內部部署應用程式時的流程。This diagram explains the flow when a user accesses an on-premises application that uses IWA.

Microsoft Azure AD 驗證流程圖

  1. 使用者輸入 URL, 以透過應用程式 Proxy 存取內部部署應用程式。The user enters the URL to access the on premises application through Application Proxy.
  2. 「應用程式 Proxy」將要求重新導向至 Azure AD 驗證服務,以進行預先驗證。Application Proxy redirects the request to Azure AD authentication services to preauthenticate. 此時,Azure AD 會套用任何適用的驗證和授權原則,例如多重要素驗證。At this point, Azure AD applies any applicable authentication and authorization policies, such as multifactor authentication. 若使用者通過驗證,Azure AD 會建立權杖並將它傳送給使用者。If the user is validated, Azure AD creates a token and sends it to the user.
  3. 使用者將權杖傳遞給「應用程式 Proxy」。The user passes the token to Application Proxy.
  4. 應用程式 Proxy 驗證權杖,並從權杖擷取使用者主體名稱 (UPN)。Application Proxy validates the token and retrieves the User Principal Name (UPN) from the token. 它接著透過雙重驗證安全通道,將要求、UPN 和服務主體名稱 (SPN) 傳送到連接器。It then sends the request, the UPN, and the Service Principal Name (SPN) to the Connector through a dually authenticated secure channel.
  5. 連接器會使用 Kerberos 限制委派 (KCD) 與內部部署 AD 的協商, 模擬使用者以取得應用程式的 Kerberos 權杖。The connector uses Kerberos Constrained Delegation (KCD) negotiation with the on premises AD, impersonating the user to get a Kerberos token to the application.
  6. Active Directory 會將應用程式的 Kerberos 權杖傳送至連接器。Active Directory sends the Kerberos token for the application to the connector.
  7. 連接器會使用從 AD 接收的 Kerberos 權杖,將原始要求傳送至應用程式伺服器。The connector sends the original request to the application server, using the Kerberos token it received from AD.
  8. 應用程式會將回應傳送至連接器,然後再傳回至應用程式 Proxy 服務,最後再傳回給使用者。The application sends the response to the connector, which is then returned to the Application Proxy service and finally to the user.

標頭式 SSOHeader-based SSO

標頭式單一登入適用於使用 HTTP 標頭進行驗證的應用程式。Header-based single sign-on works for applications that use HTTP headers for authentication. 此登入方法會使用名為 PingAccess 的協力廠商驗證服務。This sign-on method uses a third-party authentication service called PingAccess. 使用者只需要向 Azure AD 驗證。A user only needs to authenticate to Azure AD.

為應用程式設定應用程式 Proxy 和 PingAccess 時, 請選擇標頭型單一登入。Choose header-based single sign-on when Application Proxy and PingAccess are configured for the application.

若要設定標頭式驗證,請參閱適用於使用應用程式 Proxy 之單一登入的標頭式驗證To configure header-based authentication, see Header-based authentication for single sign-on with Application Proxy.

什麼是適用於 Azure AD 的 PingAccess?What is PingAccess for Azure AD?

使用適用於 Azure AD 的 PingAccess,使用者就能存取和單一登入至使用標頭驗證的應用程式。Using PingAccess for Azure AD, users can access and single sign-on to applications that use headers for authentication. 應用程式 Proxy 會如同任何其他應用程式一樣處理這些應用程式,使用 Azure AD 驗證存取,然後透過連接器服務傳遞流量。Application Proxy treats these applications like any other, using Azure AD to authenticate access and then passing traffic through the connector service. 驗證發生之後,PingAccess 服務會將 Azure AD 存取權杖翻譯成傳送到應用程式的標頭格式。After authentication occurs, the PingAccess service translates the Azure AD access token into a header format that is sent to the application.

使用者在登入使用您公司的應用程式時,將不會注意到什麼不同。Your users won’t notice anything different when they sign in to use your corporate applications. 這些還是可以在任何裝置上從任何地方運作。They can still work from anywhere on any device. 應用程式 Proxy 連接器將遠端流量導向至所有應用程式,然後它們會繼續自動進行負載平衡。The Application Proxy connectors direct remote traffic to all applications, and they’ll continue to load balance automatically.

如何取得 PingAccess 的授權?How do I get a license for PingAccess?

這種情況是透過 Azure AD 和 PingAccess 之間的合作關係提供,因此您會需要這兩種服務的授權。Since this scenario is offered through a partnership between Azure AD and PingAccess, you need licenses for both services. 不過,Azure AD Premium 訂用帳戶所包含的基本 PingAccess 授權最多可涵蓋 20 個應用程式。However, Azure AD Premium subscriptions include a basic PingAccess license that covers up to 20 applications. 如果您需要發佈 20 個以上的標頭應用程式,可以從 PingAccess 取得額外的授權。If you need to publish more than 20 header-based applications, you can acquire an additional license from PingAccess.

如需詳細資訊,請參閱 Azure Active Directory 版本For more information, see Azure Active Directory editions.