請使用 AD FS 2016 讓 OpenId 連接Enabling OpenId Connect with AD FS 2016

適用於:Windows Server 2016Applies To: Windows Server 2016

在的初始 Oauth 支援 AD FS 在 Windows Server 2012 R2 上建置,AD FS 2016 導入使用 OpenId 連接登入的支援。Building on the initial Oauth support in AD FS in Windows Server 2012 R2, AD FS 2016 introduces support for using the OpenId Connect sign-on.

必要條件Pre-requisites

以下是清單之前完成這份文件所需的必要條件。The following are a list of pre-requisites that are required prior to completing this document. 本文件假設 AD FS 已經安裝,且已建立 AD FS 發電廠。This document assumes that AD FS has been installed and an AD FS farm has been created.

  • Azure AD 裝機費(免費試用版很好)An Azure AD subscription (a free trial is fine)

  • GitHub client 工具GitHub client tools

  • AD FS 在 Windows Server 2016 TP4 或更新版本AD FS in Windows Server 2016 TP4 or later

  • Visual Studio 2013 或更新版本。Visual Studio 2013 or later.

AD FS 2016 中建立應用程式群組Create an Application Group in AD FS 2016

下一節告訴您如何設定 AD FS 2016 中的應用程式群組。The following section describes how to configure the application group in AD FS 2016.

建立群組應用程式Create Application Group

  1. AD FS 管理,以滑鼠右鍵按一下應用程式群組,然後選取[新增應用程式群組In AD FS Management, right-click on Application Groups and select Add Application Group.

  2. 在應用程式群組精靈,做為名稱輸入ADFSSSO,在獨立應用程式選取伺服器應用程式或網站範本。On the Application Group Wizard, for the name enter ADFSSSO and under Standalone applicationsselect the Server application or Website template. 按一下下一步Click Next.

    AD FS OpenID

  3. 複製Client 識別碼值。Copy the Client Identifier value. 它會作為稍後值 ida: ClientId 應用程式 web.config 檔案。It will be used later as the value for ida:ClientId in the applications web.config file.

  4. 輸入下列項目適用於重新導向 URI: - https://localhost:44320/Enter the following for Redirect URI: - https://localhost:44320/. 按一下新增Click Add. 按一下下一步Click Next.

    AD FS OpenID

  5. 設定應用程式認證畫面中,將在檢查產生共用的密碼和複製密碼。On the Configure Application Credentials screen, place a check in Generate a shared secret and copy the secret. 按一下下一步Click Next

    AD FS OpenID

  6. 摘要畫面中,按On the Summary screen, click Next.

  7. 完成畫面中,按關閉On the Complete screen, click Close.

  8. 現在,以滑鼠右鍵按一下新的應用程式群組上,選取屬性Now, on the right-click the new Application Group and select Properties.

  9. ADFSSSO 屬性將應用程式新增On the ADFSSSO Properties click Add application.

  10. 新增新的應用程式範例的應用程式選取Web API並按下一步On the Add a new application to Sample Application select Web API and click Next.

    AD FS OpenID

  11. 設定 Web API畫面中,輸入下列識別碼 - https://contoso.com/WebAppOn the Configure Web API screen, enter the following for Identifier - https://contoso.com/WebApp. 按一下新增Click Add. 按一下下一步Click Next.

    AD FS OpenID

  12. 選擇存取控制原則畫面上,選取允許所有人下一步On the Choose Access Control Policy screen, select Permit everyone and click Next.

    AD FS OpenID

  13. 設定應用程式權限畫面上,請確定openid選取時,按一下 [下一步On the Configure Application Permissions screen, make sure openid is selected and click Next.

    AD FS OpenID

  14. 摘要畫面中,按On the Summary screen, click Next.

  15. 完成畫面中,按關閉On the Complete screen, click Close.

  16. 範例應用程式屬性[確定]On the Sample Application Properties click OK.

下載並修改 MVP 透過 OpenId 驗證的應用程式連接和 AD FSDownload and Modify MVP App to Authenticate via OpenId Connect and AD FS

本節如何下載範例 Web API 與 Visual Studio 中進行修改。This section discusses how to download the sample Web API and modify it in Visual Studio. 我們會使用 Azure AD 範例的在此We will be using the Azure AD sample that is here.

下載範例專案,使用給 Bash 並輸入下列命令:To download the sample project, use Git Bash and type the following:

git clone https://github.com/Azure-Samples/active-directory-dotnet-webapp-openidconnect  

AD FS OpenID

修改應用程式To Modify the app

  1. 打開使用 Visual Studio 的範例。Open the sample using Visual Studio.

  2. 編譯應用程式,以便所有遺失 NuGets 還原。Compile the app so that all of the missing NuGets are restored.

  3. 打開 web.config。Open the web.config file. 修改下列值,以便看起來動作:Modify the following values so the look like the following:

    <add key="ida:ClientId" value="8219ab4a-df10-4fbd-b95a-8b53c1d8669e" />  
    <add key="ida:ADFSDiscoveryDoc" value="https://adfs.contoso.com/adfs/.well-known/openid-configuration" />  
    <!--<add key="ida:Tenant" value="[Enter tenant name, e.g. contoso.onmicrosoft.com]" />      
    <add key="ida:ResourceID" value="https://contoso.com/WebApp"  
    <add key="ida:AADInstance" value="https://login.microsoftonline.com/{0}" />-->  
    <add key="ida:PostLogoutRedirectUri" value="https://localhost:44320/" />  
    

    AD FS OpenID

  4. 打開 Startup.Auth.cs 檔案,並進行下列變更:Open the Startup.Auth.cs file and make the following changes:

    • 加查看下列動作:Comment out the following:

      //public static readonly string Authority = String.Format(CultureInfo.InvariantCulture, aadInstance, tenant);  
      
    • 調整 OpenId 連接介軟體初始化邏輯包含下列變更:Tweak the OpenId Connect middleware initialization logic with the following changes:

      private static string clientId = ConfigurationManager.AppSettings["ida:ClientId"];  
      //private static string aadInstance = ConfigurationManager.AppSettings["ida:AADInstance"];  
      //private static string tenant = ConfigurationManager.AppSettings["ida:Tenant"];  
      private static string metadataAddress = ConfigurationManager.AppSettings["ida:ADFSDiscoveryDoc"];  
      private static string postLogoutRedirectUri = ConfigurationManager.AppSettings["ida:PostLogoutRedirectUri"];  
      

      AD FS OpenID

    • 近向下、修改 OpenId 連接介軟體選項如下:Farther down, modify the OpenId Connect middleware options as in the following:

      app.UseOpenIdConnectAuthentication(  
          new OpenIdConnectAuthenticationOptions  
          {  
              ClientId = clientId,  
              //Authority = authority,  
              MetadataAddress = metadataAddress,  
              RedirectUri = postLogoutRedirectUri,  
              PostLogoutRedirectUri = postLogoutRedirectUri 
      

      AD FS OpenID

      變更上述我們正在進行下列動作:By changing the above we are doing the following:

      • 而不是使用授權的通訊受信任的發行者的相關資料,我們會指定直接透過 MetadataAddress 探索文件位置Instead of using the Authority for communicating data about the trusted issuer, we specify the discovery doc location directly via MetadataAddress

      • Azure AD 不會執行的 redirect_uri 中要求,但是 ADFS。Azure AD does not enforce the presence of a redirect_uri in the request, but ADFS does. 因此,我們需要新增以下So, we need to add it here

請確認正常運作的應用程式Verify the app is working

一旦上述有變更,按下 F5。Once the above changes have been made, hit F5. 這將會出現的範例頁面。This will bring up the sample page. 按一下 [登入。Click on sign in.

AD FS OpenID

您將會重新導向至 AD FS 登入頁面。You will be re-directed to the AD FS sign-in page. 請繼續並登入。Go ahead and sign in.

AD FS OpenID

這是成功之後您應該會看到您現在登入。Once this is successful you should see that you are now signed in.

AD FS OpenID