管理多組織用戶共享應用程式中的身分識別Manage identity in multitenant applications

此系列文章會說明多租用戶使用 Azure AD 進行驗證和身分識別管理時的最佳做法。This series of articles describes best practices for multitenancy, when using Azure AD for authentication and identity management.

範例程式碼

建置多組織用戶共享應用程式時,最初會遇到管理使用者身分識別的難題,因為現在每位使用者各屬於一名租用戶。When you're building a multitenant application, one of the first challenges is managing user identities, because now every user belongs to a tenant. 例如:For example:

  • 使用者透過其組織認證登入。Users sign in with their organizational credentials.
  • 使用者應該可以存取其組織的資料,但不能存取屬於其他租用戶的資料。Users should have access to their organization's data, but not data that belongs to other tenants.
  • 組織可以註冊應用程式,並再將該應用程式角色指派給其成員。An organization can sign up for the application, and then assign application roles to its members.

Azure Active Directory (Azure AD) 有一些絕佳功能,能夠支援這些所有案例。Azure Active Directory (Azure AD) has some great features that support all of these scenarios.

伴隨著這一系列的文章,我們建立了多組織用戶共享應用程式的完整端對端實作To accompany this series of articles, we created a complete end-to-end implementation of a multitenant application. 文章反映出我們在建置應用程式過程中學到的知識。The articles reflect what we learned in the process of building the application. 若要開始使用應用程式,請參閱 GitHub 讀我檔案To get started with the application, see the GitHub readme.

簡介Introduction

假設您正在撰寫要裝載在雲端的企業 SaaS 應用程式。Let's say you're writing an enterprise SaaS application to be hosted in the cloud. 當然,應用程式將會有使用者:Of course, the application will have users:

顯示個別使用者的圖表。

但那些使用者隸屬於組織:But those users belong to organizations:

組織使用者

範例:Tailspin 銷售其 SaaS 應用程式的訂用帳戶。Example: Tailspin sells subscriptions to its SaaS application. Contoso 與 Fabrikam 註冊該應用程式。Contoso and Fabrikam sign up for the app. 當 Alice (alice@contoso) 登入時,應用程式應該會知道 Alice 隸屬於 Contoso。When Alice (alice@contoso) signs in, the application should know that Alice is part of Contoso.

  • Alice 應該有 Contoso 資料的存取權。Alice should have access to Contoso data.
  • Alice 應該沒有 Fabrikam 資料的存取權。Alice should not have access to Fabrikam data.

此指南將向您說明如何使用 Azure Active Directory (Azure AD) 處理登入與驗證,於多組織用戶共享應用程式中管理使用者身分識別。This guidance will show you how to manage user identities in a multitenant application, using Azure Active Directory (Azure AD) to handle sign-in and authentication.

何謂多組織用戶管理?What is multitenancy?

租用戶 是一群使用者。A tenant is a group of users. 在 SaaS 應用程式中,租用戶是應用程式的訂閱者或客戶。In a SaaS application, the tenant is a subscriber or customer of the application. 多組織用戶管理 是多個租用戶共用同一應用程式實際執行個體的架構。Multitenancy is an architecture where multiple tenants share the same physical instance of the app. 雖然租用戶共用實際資源 (例如 VM 或儲存體),但每個租用戶都會獲得自己的應用程式邏輯執行個體。Although tenants share physical resources (such as VMs or storage), each tenant gets its own logical instance of the app.

通常,應用程式資料會在租用戶的使用者之間共用,但是不會與其他租用戶共用。Typically, application data is shared among the users within a tenant, but not with other tenants.

顯示多組織用戶共享應用程式的圖表。

將此架構與每個租用戶都有專用實體執行個體的單一租用戶架構比較。Compare this architecture with a single-tenant architecture, where each tenant has a dedicated physical instance. 在單一租用戶架構中,您可以透過執行應用程式的新執行個體來新增租用戶。In a single-tenant architecture, you add tenants by spinning up new instances of the app.

單一租用戶

多組織用戶管理與水平放大Multitenancy and horizontal scaling

若要在雲端達到某種規模,通常是新增更多的實體執行個體。To achieve scale in the cloud, it's common to add more physical instances. 這稱為水平調整 或相應放大 。請考慮 Web 應用程式。This is known as horizontal scaling or scaling out. Consider a web app. 若要處理更多流量,您可以新增更多伺服器 VM 並將它們放到負載平衡器後方。To handle more traffic, you can add more server VMs and put them behind a load balancer. 每個 VM 都會執行 Web 應用程式的個別實體執行個體。Each VM runs a separate physical instance of the web app.

執行網站負載平衡

任何要求都可以路由到任何執行個體。Any request can be routed to any instance. 同時,系統也會以單一邏輯執行個體的方式運作。Together, the system functions as a single logical instance. 您可以在不會影響使用者的情況下終止 VM 或執行新的 VM。You can tear down a VM or spin up a new VM, without affecting users. 在這個架構中,每個實體執行個體都是多組織用戶共享,而且您可以透過新增更多執行個體來放大。In this architecture, each physical instance is multitenant, and you scale by adding more instances. 如果某個執行個體故障,應不會影響任何租用戶。If one instance goes down, it should not affect any tenant.

多組織用戶共享應用程式中的身分識別Identity in a multitenant app

在多組織用戶共享應用程式中,您必須考量使用者是多組織用戶共享環境中的使用者。In a multitenant app, you must consider users in the context of tenants.

驗證Authentication

  • 使用者透過其組織認證登入應用程式。Users sign into the app with their organization credentials. 它們不需要針對應用程式建立新的使用者設定檔。They don't have to create new user profiles for the app.
  • 同一組織內的使用者隸屬於同一租用戶。Users within the same organization are part of the same tenant.
  • 當使用者登入時,應用程式會知道使用者隸屬於哪一個租用戶。When a user signs in, the application knows which tenant the user belongs to.

授權Authorization

  • 授權使用者的動作時 (例如檢視資源),應用程式必須考量使用者隸屬的租用戶。When authorizing a user's actions (say, viewing a resource), the app must take into account the user's tenant.
  • 使用者可能會被指派在應用程式中的角色,例如「系統管理員」或「標準使用者」。Users might be assigned roles within the application, such as "Admin" or "Standard User". 角色指派應由客戶管理,而不是由 SaaS 提供者管理。Role assignments should be managed by the customer, not by the SaaS provider.

範例。Example. Alice 為 Contoso 的員工,使用其瀏覽器瀏覽至應用程式並按一下 [登入] 按鈕。Alice, an employee at Contoso, navigates to the application in her browser and clicks the "Log in" button. 系統將她重新導向到可在其中輸入企業認證 (使用者名稱與密碼) 的登入畫面。She is redirected to a sign-in screen where she enters her corporate credentials (username and password). 此時,她以 alice@contoso.com的身分登入應用程式。At this point, she is logged into the app as alice@contoso.com. 應用程式也會知道 Alice 是此應用程式的系統管理員使用者。The application also knows that Alice is an admin user for this application. 因為她是系統管理員,所以可以看到屬於 Contoso 之所有資源的清單。Because she is an admin, she can see a list of all the resources that belong to Contoso. 但是,她無法檢視 Fabrikam 的資源,因為她只是其所屬租用戶中的系統管理員。However, she cannot view Fabrikam's resources, because she is an admin only within her tenant.

在本指南中,我們將特別探討使用 Azure AD 來管理身分識別。In this guidance, we'll look specifically at using Azure AD for identity management.

  • 我們假設客戶將他們的使用者設定檔儲存在 Azure AD (包括 Office365 和 Dynamics CRM 租用戶)We assume the customer stores their user profiles in Azure AD (including Office365 and Dynamics CRM tenants)
  • 使用內部部署 Active Directory 的客戶可以使用 Azure AD Connect 來同步其內部部署 Active Directory 與 Azure AD。Customers with on-premises Active Directory can use Azure AD Connect to sync their on-premises Active Directory with Azure AD. 如果擁有內部部署 Active Directory 的客戶無法使用 Azure AD Connect (因為公司 IT 原則或其他原因),SaaS 提供者可以透過 Active Directory Federation Services (AD FS) 與客戶的目錄聯合。If a customer with on-premises Active Directory cannot use Azure AD Connect (due to corporate IT policy or other reasons), the SaaS provider can federate with the customer's directory through Active Directory Federation Services (AD FS). 此選項已在 與客戶的 AD FS 聯合中說明。This option is described in Federating with a customer's AD FS.

本指南不考量多組織用戶管理的其他層面,例如參與、個別租用戶設定等等。This guidance does not consider other aspects of multitenancy such as data partitioning, per-tenant configuration, and so forth.

下一步Next