識別提供者Identity providers

適用于: SDK v4APPLIES TO: SDK v4

身分識別提供者會驗證使用者或用戶端的身分識別,並發出可取用的安全性權杖。An identity provider authenticates user or client identities and issues consumable security tokens. 其會透過服務來提供使用者驗證。It provides user authentication as a service.

用戶端應用程式 (例如 Web 應用程式) 則會將驗證委派給受信任的身分識別提供者。Client applications, such as web applications, delegate authentication to a trusted identity provider. 我們會稱這類用戶端應用程式已同盟,也就是其使用已同盟的身分識別。Such client applications are said to be federated, that is, they use federated identity.

使用受信任的身分識別提供者:Using a trusted identity provider:

  • 啟用單一登入 (SSO) 功能,讓應用程式能夠存取多個受保護的資源。Enables single sign-on (SSO) features, allowing an application to access multiple secured resources.
  • 促使雲端運算資源與使用者建立連線,減少使用者重新驗證的需要。Facilitates connections between cloud computing resources and users, decreasing the need for users to re-authenticate.

單一登入Single sign-on

單一登入指的是一種驗證程序,可讓使用者只要使用一組認證登入系統一次,就能存取多個應用程式或服務。Single sign-on refers to an authentication process that permits a user to log on to a system once with a single set of credentials to access multiple applications or services.

使用者會以單一識別碼和密碼來登入,以存取數個相關軟體系統的任意一個。A user logs in with a single ID and password to gain access to any of several related software systems. 如需詳細資訊,請參閱單一登入For more information, see Single sign on.

許多身分識別提供者支援登出作業,此作業可撤銷使用者權杖,並終止其存取相關聯應用程式和服務的權利。Many identity providers support a sign-out operation that revokes the user token and terminates access to to the associated applications and services.

重要

SSO 可藉由減少使用者必須輸入認證的次數來增強可用性。SSO enhances usability by reducing the number of times a user must enter credentials. 其也可藉由減少潛在的受攻擊面來提升安全性。It also provides better security by decreasing the potential attack surface.

Azure Active Directory 身分識別提供者Azure Active Directory identity provider

Azure Active Directory (AD) 是 Microsoft Azure 中的身分識別服務,可提供身分識別管理和存取控制能力。Azure Active Directory (AD) is the identity service in Microsoft Azure that provides identity management and access control capabilities. 其可讓您使用業界標準的通訊協定 (例如 OAuth 2.0) 安全地登入使用者。It allows you to securely sign in users using industry standard protocols like OAuth2.0.

您可以選擇實作兩種具有不同設定的 AD 身分識別提供者,如下所示。You can choose from two AD identity provider implementations which have different settings as shown below.

注意

在 Azure Bot 註冊應用程式中設定 OAuth 連線設定時,請使用此處所述的設定。You use the settings described here when configuring the OAuth Connection Settings in the Azure bot registration application. 請參閱在 Bot 中新增驗證See Add authentication to a bot.

Azure AD v1Azure AD v1

您可以使用顯示的設定來設定 Azure AD developer platform (v1.0) (也稱為 Azure AD v1 端點),這可讓您建立使用 Microsoft 公司或學校帳戶安全地登入使用者的應用程式。You use the settings shown to configure the Azure AD developer platform (v1.0), also known as Azure AD v1 endpoint, which allows to build apps that securely sign in users with a Microsoft work or school account. 如需詳細資訊,請參閱開發人員適用的 Azure Active Directory (v1.0) 概觀For more information, see Azure Active Directory for developers (v1.0) overview.

屬性Property 說明Description ReplTest1Value
名稱Name 連線的名稱The name of your connection <您的連線名稱><Your name for the connection>
服務提供者Service Provider Azure AD 身分識別提供者Azure AD Identity provider Azure Active Directory
用戶端識別碼Client ID Azure AD 身分識別提供者應用程式識別碼Azure AD identity provider app ID <AAD 提供者應用程式識別碼><AAD provider app ID>
用戶端密碼Client secret Azure AD 身分識別提供者應用程式祕密Azure AD identity provider app secret <AAD 提供者應用程式祕密><AAD provider app secret>
授與類型Grant Type authorization_code
登入 URLLogin URL https://login.microsoftonline.com
租用戶識別碼Tenant ID <目錄 (租用戶) 識別碼> 或 common<directory (tenant) ID> or common. 請參閱附註。See note.
資源 URLResource URL https://graph.microsoft.com/
範圍Scopes
權杖交換 URLToken Exchange URL 用於 Azure AD v2 中的 SSOUsed for SSO in Azure AD v2

注意Note

  • 如果您已選取下列其中一項,請輸入您為 AAD 身分識別提供者應用程式記錄的租用戶識別碼Enter the tenant ID you recorded for the AAD identity provider app, if you selected one of the following:

    • 僅限此組織目錄中的帳戶 (僅限 Microsoft - 單一租用戶)Accounts in this organizational directory only (Microsoft only - Single tenant)

    • 任何組織目錄中的帳戶 (Microsoft AAD 目錄 - 多租用戶)Accounts in any organizational directory(Microsoft AAD directory - Multi tenant)

  • 如果您已選取 [任何組織目錄中的帳戶 (任何 AAD 目錄 - 多租用戶和個人 Microsoft 帳戶,例如 Skype、Xbox、Outlook.com)] common,請輸入Enter common if you selected Accounts in any organizational directory (Any AAD directory - Multi tenant and personal Microsoft accounts e.g. Skype, Xbox, Outlook.com). 否則,AAD 身分識別提供者應用程式將會透過已選取其識別碼的租用戶進行驗證,並排除個人 MS 帳戶。Otherwise, the AAD identity provider app will verify through the tenant whose ID was selected and exclude personal MS accounts.

另請參閱See also

其他身分識別提供者Other identity providers

Azure 支援數個身分識別提供者。Azure supports several identity providers. 您可以藉由執行下列 Azure 主控台命令,來取得完整清單以及相關的詳細資料:You can get a complete list, along with the related details, by running this Azure console command:

az bot authsetting list-providers

在為 Bot 註冊應用程式定義 OAuth 連線設定時,您也可以在 Azure 入口網站中查看這些提供者的清單。You can also see the list of these providers in the Azure portal, when you define the OAuth connection settings for a bot registration app.

Azure 身分識別提供者

OAuth 一般提供者OAuth generic providers

Azure 支援一般 OAuth2,可讓您使用自己的身分識別提供者。Azure supports generic OAuth2 which allow you to use your own identity providers.

您可以選擇實作兩種具有不同設定的一般身分識別提供者,如下所示。You can choose from two generic identity provider implementations which have different settings as shown below.

注意

在 Azure Bot 註冊應用程式中設定 OAuth 連線設定時,請使用此處所述的設定。You use the settings described here when configuring the OAuth Connection Settings in the Azure bot registration application.

一般 OAuth 2Generic OAuth 2

使用此提供者可設定任何與 Azure AD 提供者 (尤其是 AD v2) 有類似預期的一般 OAuth2 身分識別提供者。Use this provider to configure any generic OAuth2 identity provider that has similar expectations as Azure AD provider, particularly AD v2. 因為查詢字串和要求本文承載是固定的,所以您可以使用的屬性數量有限。You have a limited number of properties because the query strings and request body payloads are fixed. 針對您所輸入的值,您都可以查看各種 URL、查詢字串和本文的參數在大括弧 {} 中的情況。For the values you enter, you can see how parameters to the various URls, query strings, and bodies are in curly braces {}.

屬性Property 說明Description ReplTest1Value
名稱Name 連線的名稱The name of your connection <您的連線名稱><Your name for the connection>
服務提供者Service Provider 識別提供者Identity provider 從下拉式清單中,選取 [一般 Oauth 2] From the drop-down list, select Generic Oauth 2
用戶端識別碼Client ID 身分識別提供者應用程式識別碼Identity provider app ID <提供者識別碼><provider ID>
用戶端密碼Client secret 身分識別提供者應用程式祕密Identity provider app secret <提供者祕密><provider secret>
授權 URLAuthorization URL https://login.microsoftonline.com/common/oauth2/v2.0/authorize
授權 URL 查詢字串Authorization URL Query String ?client_id={ClientId}&response_type=code&redirect_uri={RedirectUrl}&scope={Scopes}&state={State}?client_id={ClientId}&response_type=code&redirect_uri={RedirectUrl}&scope={Scopes}&state={State}
權杖 URLToken URL https://login.microsoftonline.com/common/oauth2/v2.0/token
權杖本文Token Body 為了交換權杖所傳送的本文Body to send for the token exchange code={Code}&grant_type=authorization_code&redirect_uri={RedirectUrl}&client_id={ClientId}&client_secret={ClientSecret}code={Code}&grant_type=authorization_code&redirect_uri={RedirectUrl}&client_id={ClientId}&client_secret={ClientSecret}
重新整理 URLRefresh URL https://login.microsoftonline.com/common/oauth2/v2.0/token
重新整理本文範本Refresh Body Template 要與權杖重新整理一起傳送的本文Body to send with the token refresh refresh_token={RefreshToken}&redirect_uri={RedirectUrl}&grant_type=refresh_token&client_id={ClientId}&client_secret={ClientSecret}refresh_token={RefreshToken}&redirect_uri={RedirectUrl}&grant_type=refresh_token&client_id={ClientId}&client_secret={ClientSecret}
範圍Scopes 以逗號分隔的清單,其中列出您稍早授與給 Azure AD 驗證應用程式的 API 權限Comma separated list of the API permissions you granted earlier to the Azure AD authentication app openid profile Mail.Read Mail.Send User.Read User.ReadBasic.All 等值Values such as openid profile Mail.Read Mail.Send User.Read User.ReadBasic.All