與客戶的 AD FS 同盟Federate with a customer's AD FS

本文說明多租使用者 SaaS 應用程式如何透過 Active Directory 同盟服務 (AD FS) 來支援驗證,以便與客戶的 AD FS 同盟。This article describes how a multitenant SaaS application can support authentication via Active Directory Federation Services (AD FS), in order to federate with a customer's AD FS.

概觀Overview

Azure Active Directory (Azure AD) 可輕鬆地登入 Azure AD 租用戶的使用者,包括 Office365 和 Dynamics CRM Online 客戶。Azure Active Directory (Azure AD) makes it easy to sign in users from Azure AD tenants, including Office365 and Dynamics CRM Online customers. 但是,在公司內部網路上使用內部部署 Active Directory 的客戶呢?But what about customers who use on-premises Active Directory on a corporate intranet?

其中一個選項是讓這些客戶使用 Azure AD Connect來同步處理其內部部署 AD 與 Azure AD。One option is for these customers to sync their on-premises AD with Azure AD, using Azure AD Connect. 不過,有些客戶可能會因為公司 IT 原則或其他原因而無法使用這種方式。However, some customers may be unable to use this approach, due to corporate IT policy or other reasons. 在此情況下,另一個選項是透過 Active Directory 同盟服務 (AD FS) 建立同盟。In that case, another option is to federate through Active Directory Federation Services (AD FS).

若要啟用此案例:To enable this scenario:

  • 客戶必須有網際網路面向的 AD FS 伺服器陣列。The customer must have an Internet-facing AD FS farm.
  • SaaS 提供者會部署自己的 AD FS 伺服器陣列。The SaaS provider deploys their own AD FS farm.
  • 客戶和 SaaS 提供者必須設定 同盟信任The customer and the SaaS provider must set up federation trust. 這是手動程序。This is a manual process.

信任關係中有三個主要角色:There are three main roles in the trust relation:

  • 客戶的 AD FS 是 帳戶夥伴,負責驗證來自客戶 AD 的使用者,並使用使用者宣告建立安全性權杖。The customer's AD FS is the account partner, responsible for authenticating users from the customer's AD, and creating security tokens with user claims.

  • SaaS 提供者的 AD FS 是 資源夥伴,它會信任帳戶夥伴及接收使用者宣告。The SaaS provider's AD FS is the resource partner, which trusts the account partner and receives the user claims.

  • 應用程式會設定為 SaaS 提供者的 AD FS 中的信賴憑證者 (RP)。The application is configured as a relying party (RP) in the SaaS provider's AD FS.

    同盟信任

注意

在本文中,我們假設應用程式會使用 OpenID Connect 作為驗證通訊協定。In this article, we assume the application uses OpenID Connect as the authentication protocol. 另一個選項是使用 WS-同盟。Another option is to use WS-Federation.

對於 OpenID Connect,SaaS 提供者必須使用在 Windows Server 2016 中執行的 AD FS 2016。For OpenID Connect, the SaaS provider must use AD FS 2016, running in Windows Server 2016. AD FS 3.0 不支援 OpenID Connect。AD FS 3.0 does not support OpenID Connect.

如需搭配使用 WS-同盟與 ASP.NET 4 的範例,請參閱 active-directory-dotnet-webapp-wsfederation 範例For an example of using WS-Federation with ASP.NET 4, see the active-directory-dotnet-webapp-wsfederation sample.

驗證流程Authentication flow

  1. 當使用者按一下 [登入] 時,應用程式會重新導向至 SaaS 提供者的 AD FS 上的 OpenID Connect Endpoint。When the user clicks "sign in", the application redirects to an OpenID Connect endpoint on the SaaS provider's AD FS.
  2. 使用者會輸入自己的組織使用者名稱 ("alice@corp.contoso.com")。The user enters his or her organizational user name ("alice@corp.contoso.com"). AD FS 會使用主領域探索來重新導向至客戶的 AD FS,以便使用者輸入其認證。AD FS uses home realm discovery to redirect to the customer's AD FS, where the user enters their credentials.
  3. 客戶的 AD FS 會使用 WF-同盟 (或 SAML),將使用者宣告傳送至 SaaS 提供者的 AD FS。The customer's AD FS sends user claims to the SaaS provider's AD FS, using WF-Federation (or SAML).
  4. 宣告會使用 OpenID Connect 從 AD FS 流向應用程式。Claims flow from AD FS to the app, using OpenID Connect. 這需要從 WS-同盟進行通訊協定轉換。This requires a protocol transition from WS-Federation.

限制Limitations

根據預設,信賴憑證者應用程式只會收到下表所示之 id_token 中可用的一組固定宣告。By default, the relying party application receives only a fixed set of claims available in the id_token, shown in the following table. 使用 AD FS 2016 時,您可以在 OpenID Connect 案例中自訂 id_token。With AD FS 2016, you can customize the id_token in OpenID Connect scenarios. 如需詳細資訊,請參閱在 AD FS 中自訂識別碼權杖For more information, see Custom ID Tokens in AD FS.

宣告Claim DescriptionDescription
audaud 對象。Audience. 做為宣告發出對象的應用程式。The application for which the claims were issued.
authenticationinstantauthenticationinstant [立即驗證]。Authentication instant. 發生驗證的時間。The time at which authentication occurred.
c_hashc_hash 程式碼的雜湊值。Code hash value. 這是權杖內容的雜湊。This is a hash of the token contents.
expexp 到期時間Expiration time. 此時間過後,就不會再接受該權杖。The time after which the token will no longer be accepted.
iatiat 發出時間。Issued at. 權杖的發出時間。The time when the token was issued.
ississ 簽發者。Issuer. 此宣告的值一律是資源夥伴的 AD FS。The value of this claim is always the resource partner's AD FS.
NAMEname 使用者名稱。User name. 範例: john@corp.fabrikam.comExample: john@corp.fabrikam.com
nameidentifiernameidentifier 名稱識別碼Name identifier. 做為權杖發出對象之實體名稱的識別碼。The identifier for the name of the entity for which the token was issued.
noncenonce 工作階段 nonce。Session nonce. AD FS 為了防止重新執行攻擊所產生的唯一值。A unique value generated by AD FS to help prevent replay attacks.
upnupn 使用者主體名稱 (UPN)。User principal name (UPN). 範例: john@corp.fabrikam.comExample: john@corp.fabrikam.com
pwd_exppwd_exp 密碼到期期間。Password expiration period. 經過此秒數後,使用者的密碼或類似的驗證機密資訊 (例如 PIN) The number of seconds until the user's password or a similar authentication secret, such as a PIN. 就會到期。expires.

注意

「iss」宣告包含合作夥伴的 AD FS (一般而言,這個宣告會將 SaaS 提供者識別為簽發者)。The "iss" claim contains the AD FS of the partner (typically, this claim will identify the SaaS provider as the issuer). 它不會識別客戶的 AD FS。It does not identify the customer's AD FS. 您可以在 UPN 中找到客戶的網域。You can find the customer's domain as part of the UPN.

本文的其餘部分將說明如何設定 RP (應用程式) 與帳戶夥伴 (客戶) 之間的信任關係。The rest of this article describes how to set up the trust relationship between the RP (the app) and the account partner (the customer).

AD FS 部署AD FS deployment

SaaS 提供者可以在內部部署或在 Azure Vm 上部署 AD FS。The SaaS provider can deploy AD FS either on-premises or on Azure VMs. 對於安全性和可用性而言,下列指導方針非常重要:For security and availability, the following guidelines are important:

  • 部署至少兩個 AD FS 伺服器和兩個 AD FS Proxy 伺服器,才可達到 AD FS 服務的最佳可用性。Deploy at least two AD FS servers and two AD FS proxy servers to achieve the best availability of the AD FS service.
  • 網域控制站和 AD FS 伺服器永遠不會對網際網路直接公開,而是應在具有直接存取權的虛擬網路中。Domain controllers and AD FS servers should never be exposed directly to the Internet and should be in a virtual network with direct access to them.
  • 必須使用 Web 應用程式 Proxy (先前為 AD FS Proxy) 將 AD FS 伺服器發佈到網際網路。Web application proxies (previously AD FS proxies) must be used to publish AD FS servers to the Internet.

若要在 Azure 中設定類似的拓撲,需要使用虛擬網路、網路安全性群組、虛擬機器和可用性設定組。To set up a similar topology in Azure requires the use of virtual networks, network security groups, virtual machines, and availability sets. 如需詳細資訊,請參閱 在 Azure 虛擬機器上部署 Windows Server Active Directory 的指導方針For more details, see Guidelines for deploying Windows Server Active Directory on Azure Virtual Machines.

設定使用 AD FS 來進行 OpenID Connect 驗證Configure OpenID Connect authentication with AD FS

SaaS 提供者必須啟用應用程式與 AD FS 之間的 OpenID Connect。The SaaS provider must enable OpenID Connect between the application and AD FS. 若要這樣做,請在 AD FS 中新增應用程式群組。To do so, add an application group in AD FS. You can find detailed instructions in this blog post, under "Setting up a Web App for OpenId Connect sign in AD FS."You can find detailed instructions in this blog post, under "Setting up a Web App for OpenId Connect sign in AD FS."

接下來,設定 OpenID Connect 中介軟體。Next, configure the OpenID Connect middleware. 中繼資料端點是 https://domain/adfs/.well-known/openid-configuration,其中網域是 SaaS 提供者的 AD FS 網域。The metadata endpoint is https://domain/adfs/.well-known/openid-configuration, where domain is the SaaS provider's AD FS domain.

一般來說,您可能會將此與其他 OpenID Connect 端點結合 (例如 Azure AD) 。Typically you might combine this with other OpenID Connect endpoints (such as Azure AD). 您需要兩個不同的登入按鈕或其他方法來區別它們,才可將使用者傳送至正確的驗證端點。You'll need two different sign-in buttons or some other way to distinguish them, so that the user is sent to the correct authentication endpoint.

設定 AD FS 資源夥伴Configure the AD FS Resource Partner

SaaS 提供者必須針對想要透過 AD FS 連接的每個客戶執行下列動作:The SaaS provider must do the following for each customer that wants to connect via AD FS:

  1. 新增宣告提供者信任。Add a claims provider trust.
  2. 新增宣告規則。Add claims rules.
  3. 啟用主領域探索。Enable home-realm discovery.

更詳細的步驟如下:Here are the steps in more detail.

新增宣告提供者信任Add the claims provider trust

  1. 在 [伺服器管理員] 中按一下 [工具],然後選取 [AD FS 管理]。In Server Manager, click Tools, and then select AD FS Management.
  2. 在主控台樹狀目錄的 [AD FS] 下,以滑鼠右鍵按一下 [宣告提供者信任]。In the console tree, under AD FS, right click Claims Provider Trusts. 選取 [新增宣告提供者信任] 。Select Add Claims Provider Trust.
  3. 按一下 [啟動] 以啟動精靈。Click Start to start the wizard.
  4. 選取 [匯入有關宣告提供者在線上或區域網路上發佈的資料] 選項。Select the option "Import data about the claims provider published online or on a local network". 輸入客戶的同盟中繼資料端點的 URI。Enter the URI of the customer's federation metadata endpoint. (範例: https://contoso.com/FederationMetadata/2007-06/FederationMetadata.xml . ) 您將需要從客戶取得此內容。(Example: https://contoso.com/FederationMetadata/2007-06/FederationMetadata.xml.) You will need to get this from the customer.
  5. 使用預設選項完成精靈。Complete the wizard using the default options.

編輯宣告規則Edit claims rules

  1. 以滑鼠右鍵按一下新增的宣告提供者信任,然後選取 [編輯宣告原則] 。Right-click the newly added claims provider trust, and select Edit Claims Rules.
  2. 按一下 [加入規則]Click Add Rule.
  3. 選取 [通過或篩選傳入宣告],然後按 [下一步]。Select "Pass Through or Filter an Incoming Claim" and click Next. 選取 [宣告規則範本] 下的 [通過或篩選傳入宣告] 的螢幕擷取畫面。Screenshot of selecting Pass Through or Filter an Incoming Claim under Claim rule template.
  4. 輸入規則的名稱。Enter a name for the rule.
  5. 在 [傳入宣告類型] 之下選取 [UPN] 。Under "Incoming claim type", select UPN.
  6. 選取 [通過所有宣告值]。Select "Pass through all claim values". 選取 [傳遞所有宣告值] 的螢幕擷取畫面。Screenshot of selecting Pass through all claim values.
  7. 按一下 [完成] 。Click Finish.
  8. 重複步驟 2 - 7,並針對傳入宣告類型指定 [錨點宣告類型] 。Repeat steps 2 - 7, and specify Anchor Claim Type for the incoming claim type.
  9. 按一下 [確定] 來完成精靈。Click OK to complete the wizard.

啟用主領域探索。Enable home-realm discovery

執行下列 PowerShell 指令碼:Run the following PowerShell script:

Set-AdfsClaimsProviderTrust -TargetName "name" -OrganizationalAccountSuffix @("suffix")

其中 "name" 是好記的宣告提供者信任名稱,而 "suffix" 是客戶 AD 的 UPN 尾碼 (例如,"corp.fabrikam.com")。where "name" is the friendly name of the claims provider trust, and "suffix" is the UPN suffix for the customer's AD (example, "corp.fabrikam.com").

使用此組態,使用者可以輸入其組織帳戶,而 AD FS 會自動選取對應的宣告提供者。With this configuration, end users can type in their organizational account, and AD FS automatically selects the corresponding claims provider. 請參閱 自訂 AD FS 登入頁面中的「設定識別提供者以使用特定電子郵件尾碼」一節。See Customizing the AD FS Sign-in Pages, under the section "Configure Identity Provider to use certain email suffixes".

設定 AD FS 帳戶夥伴Configure the AD FS Account Partner

使用者必須執行下列動作:The customer must do the following:

  1. 新增信賴憑證者 (RP) 信任。Add a relying party (RP) trust.
  2. 新增宣告規則。Adds claims rules.

新增 RP 信任Add the RP trust

  1. 在 [伺服器管理員] 中按一下 [工具],然後選取 [AD FS 管理]。In Server Manager, click Tools, and then select AD FS Management.
  2. 在主控台樹狀目錄的 [AD FS] 下,以滑鼠右鍵按一下 [信賴憑證者信任]。In the console tree, under AD FS, right click Relying Party Trusts. 選取 [新增信賴憑證者信任] 。Select Add Relying Party Trust.
  3. 選取 [宣告感知],然後按一下 [啟動]。Select Claims Aware and click Start.
  4. 在 [選取資料來源] 頁面上,選取 [匯入有關宣告提供者在線上或區域網路上發佈的資料] 選項。On the Select Data Source page, select the option "Import data about the claims provider published online or on a local network". 輸入 SaaS 提供者的同盟中繼資料端點的 URI。Enter the URI of the SaaS provider's federation metadata endpoint. 新增信賴憑證者信任精靈Add Relying Party Trust Wizard
  5. 在 [指定顯示名稱] 頁面上輸入任何名稱。On the Specify Display Name page, enter any name.
  6. 在 [選擇存取控制原則] 頁面上選擇原則。On the Choose Access Control Policy page, choose a policy. 您可以允許組織中的每個人,或選擇特定安全性群組。You could permit everyone in the organization, or choose a specific security group. [選擇存取控制原則] 頁面的螢幕擷取畫面。Screenshot of the Choose Access Control Policy page.
  7. 在 [原則] 方塊中輸入所需的任何參數。Enter any parameters required in the Policy box.
  8. [下一步 ] 完成嚮導。Click Next to complete the wizard.

新增宣告規則Add claims rules

  1. 以滑鼠右鍵按一下新增的信賴憑證者信任,然後選取 [編輯宣告發佈原則] 。Right-click the newly added relying party trust, and select Edit Claim Issuance Policy.

  2. 按一下 [加入規則]Click Add Rule.

  3. 選取 [傳送 LDAP 屬性做為宣告],然後按 [下一步] 。Select "Send LDAP Attributes as Claims" and click Next.

  4. 輸入規則名稱,例如 "UPN"。Enter a name for the rule, such as "UPN".

  5. 在 [屬性存放區] 下選取 [Active Directory]。Under Attribute store, select Active Directory. 新增轉換宣告規則精靈Add Transform Claim Rule Wizard

  6. 在 [LDAP 屬性對應] 區段中:In the Mapping of LDAP attributes section:

    • 在 [LDAP 屬性] 下選取 [使用者主體名稱]。Under LDAP Attribute, select User-Principal-Name.
    • 在 [傳出宣告類型] 之下選取 [UPN]。Under Outgoing Claim Type, select UPN. 在 LDAP 屬性對應下選取使用者-主體-名稱和 UPN 的螢幕擷取畫面。Screenshot of selecting User-Principal-Name and UPN under Mapping of LDAP attributes.
  7. 按一下 [完成] 。Click Finish.

  8. 再按一下 [新增規則] 。Click Add Rule again.

  9. 選取 [使用自訂規則傳送宣告],然後按 [下一步]Select "Send Claims Using a Custom Rule" and click Next.

  10. 輸入規則名稱,例如「錨點宣告類型」。Enter a name for the rule, such as "Anchor Claim Type".

  11. 在 [自訂規則] 之下輸入下列資料:Under Custom rule, enter the following:

    EXISTS([Type == "http://schemas.microsoft.com/ws/2014/01/identity/claims/anchorclaimtype"])=>
    issue (Type = "http://schemas.microsoft.com/ws/2014/01/identity/claims/anchorclaimtype",
          Value = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn");
    

    此規則會發出 anchorclaimtype 類型的宣告。This rule issues a claim of type anchorclaimtype. 此宣告會通知信賴憑證者使用 UPN 做為使用者的固定識別碼。The claim tells the relying party to use UPN as the user's immutable ID.

  12. 按一下 [完成] 。Click Finish.

  13. 按一下 [確定] 來完成精靈。Click OK to complete the wizard.