AD FS 單一登入設定AD FS Single Sign-On Settings

適用於:Windows Server 2016、Windows Server 2012 R2Applies To: Windows Server 2016, Windows Server 2012 R2

單一登入 (SSO) 可讓使用者一次驗證並不會提示您輸入其他認證存取多個資源。Single Sign-On (SSO) allows users to authenticate once and access multiple resources without being prompted for additional credentials. 此文章將描述預設 AD FS 行為 SSO,以及設定可讓您來自訂此行為。This article describes the default AD FS behavior for SSO, as well as the configuration settings that allow you to customize this behavior.

支援的類型的單一登入Supported types of Single Sign-On

AD FS 支援單一登入體驗數種的類型:AD FS supports several types of Single Sign-On experiences:

  • 工作階段 SSOSession SSO

    工作階段 SSO cookie 寫入已驗證使用者,當使用者切換應用程式特定的工作階段期間不接下來的提示。Session SSO cookies are written for the authenticated user which eliminates further prompts when the user switches applications during a particular session. 不過,如果在特定的工作階段結束時,使用者將會提示他們認證再試一次。However, if a particular session ends, the user will be prompted for their credentials again.

    AD FS 可工作階段 SSO cookie 預設設定如果使用者的裝置會不登記完畢。AD FS will set session SSO cookies by default if users’ devices are not registered. 如果您在瀏覽器工作階段結束後,重新啟動此工作階段 cookie 刪除且不正確任何更多。If the browser session has ended and is restarted, this session cookie is deleted and is not valid any more.

  • 持續 SSOPersistent SSO

    排除進一步提示時,使用者切換應用程式,只要將持續 SSO cookie 是有效的已驗證使用者寫入持續 SSO cookie。Persistent SSO cookies are written for the authenticated user which eliminates further prompts when the user switches applications for as long as the persistent SSO cookie is valid. 持續 SSO 和工作階段 SSO 不同的是,可跨不同的工作階段維護持續 SSO。The difference between persistent SSO and session SSO is that persistent SSO can be maintained across different sessions.

    如果裝置係 AD FS 將持續 SSO cookie。AD FS will set persistent SSO cookies if the device is registered. AD FS 也會將設定持續性的 SSO cookie 如果使用者可選取 [[讓我保持登入] 的選項。AD FS will also set a persistent SSO cookie if a user selects the “keep me signed in” option. 如果持續 SSO cookie 任何不正確,它會拒絕且刪除。If the persistent SSO cookie is not valid any more, it will be rejected and deleted.

  • 應用程式特定 SSOApplication specific SSO

    在 OAuth 案例中,重新整理預付碼用來維護 SSO 狀態範圍特定應用程式中的使用者。In the OAuth scenario, a refresh token is used to maintain the SSO state of the user within the scope of a particular application.

    如果裝置係,AD FS 將設定到期時間的預設為基礎的且已裝置 7 天持續 SSO cookie 期間重新整理預付碼。If a device is registered, AD FS will set the expiration time of a refresh token based on the persistent SSO cookies lifetime for a registered device which is 7 days by default. 如果使用者可選取 [[讓我保持登入] 的選項,到期的時間重新整理預付碼將會等號 [保留我登入「持續 SSO cookie 期間這是最多 7 天預設 1 天。If a user selects the “keep me signed in” option, the expiration time of the refresh token will equal the persistent SSO cookies lifetime for “keep me signed in” which is 1 day by default with maximum of 7 day. 否則,請重新整理權杖期間等工作階段 SSO cookie 期間這是預設 8 小時Otherwise, refresh token lifetime equals session SSO cookie lifetime which is 8 hours by default

    如上所述,且已裝置上的使用者會看到持續 SSO 除非持續 SSO 已停用。As mentioned above, users on registered devices will always get a persistent SSO unless the persistent SSO is disabled. 可藉由讓 [保留我登入「達成持續 SSO 未且已裝置的功能 (KMSI)。For un-registered devices, persistent SSO can be achieved by enabling the “keep me signed in” (KMSI) feature.

    針對 Windows Server 2012 R2,以便 PSSO「[讓我保持登入「案例中,您需要安裝這個hotfix也是部分的2014 年 8 月更新彙總套件適用於 Windows RT 8.1,Windows 8.1、Windows Server 2012 R2For Windows Server 2012 R2, to enable PSSO for the “Keep me signed in” scenario, you need to install this hotfix which is also part of the of August 2014 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2.

單一登入與驗證的裝置Single Sign-On and authenticated devices

之後提供的認證第一次,預設的且已裝置的使用者取得單一登入期間最大的 90 天,他們可以使用裝置存取 AD FS 資源至少一次每個 14 天提供。After providing credentials for the first time, by default users with registered devices get single Sign-On for a maximum period of 90 days, provided they use the device to access AD FS resources at least once every 14 days. 如果他們等待 15 日之後提供的認證,使用者將會提示輸入認證再試一次。If they wait 15 days after providing credentials, users will be prompted for credentials again.

預設會讓持續 SSO。Persistent SSO is enabled by default. 如果已停用,將不 PSSO cookie 寫入。|If it is disabled, no PSSO cookie will be written.|

Set-AdfsProperties –EnablePersistentSso <Boolean\>

裝置使用視窗(14 天預設)由 AD FS 屬性DeviceUsageWindowInDaysThe device usage window (14 days by default) is governed by the AD FS property DeviceUsageWindowInDays.

Set-AdfsProperties -DeviceUsageWindowInDays

最大單一登入期間(預設的 90 天)由 AD FS 屬性PersistentSsoLifetimeMinsThe maximum single Sign-On period (90 days by default) is governed by the AD FS property PersistentSsoLifetimeMins.

Set-AdfsProperties -PersistentSsoLifetimeMins

保留我的裝置未驗證登入Keep Me Signed in for unauthenticated devices

適用於非登記裝置單一登入期間由繼續我登入 (KMSI)設定的功能。For non-registered devices, the single sign-on period is determined by the Keep Me Signed In (KMSI) feature settings. KMSI 預設停用,並可設定為 True AD FS 屬性 KmsiEnabled。KMSI is disabled by default and can be enabled by setting the AD FS property KmsiEnabled to True.

Set-AdfsProperties -EnableKmsi $true  

使用 KMSI 停用,預設單一登入期間是 8 小時的時間。With KMSI disabled, the default single sign-on period is 8 hours. 這可以使用屬性 SsoLifetime 設定。This can be configured using the property SsoLifetime. 預設值是 480 屬性被以分鐘。The property is measured in minutes, so its default value is 480.

Set-AdfsProperties –SsoLifetime <Int32\> 

與支援 KMSI,預設單一登入期間為 24 小時。With KMSI enabled, the default single sign-on period is 24 hours. 這可以使用屬性 KmsiLifetimeMins 設定。This can be configured using the property KmsiLifetimeMins. 預設值是 1440年屬性被以分鐘。The property is measured in minutes, so its default value is 1440.

Set-AdfsProperties –KmsiLifetimeMins <Int32\> 

多因素驗證 (MFA) 問題Multi-factor authentication (MFA) behavior

請務必注意,雖然提供較長的單一登入,AD FS 會提示您輸入其他驗證 (多重因數驗證) 上的登入根據主要認證,並不 MFA,但目前登入需要 MFA。It's important to note that, while providing relatively long periods of single sign on, AD FS will prompt for additional authentication (multi factor authentication) when a previous sign on was based on primary credentials and not MFA, but the current sign on requires MFA. 這是無論 SSO 設定。This is regardless of SSO configuration. AD FS 收到的驗證要求時,第一次判斷是否是 (例如 cookie) SSO 操作,然後、 MFA 是否需要 (例如如果要求來自之外) 它將會評估是否 SSO 操作包含 MFA。AD FS, when it receives an authentication request, first determines whether or not there is an SSO context (such as a cookie) and then, if MFA is required (such as if the request is coming in from outside) it will assess whether or not the SSO context contains MFA. 如果不行,系統會提示 MFA。If not, MFA is prompted.

PSSO 撤銷PSSO revocation

為保護安全性,AD FS 將拒絕先前發行符合下列條件時任何持續 SSO cookie。To protect security, AD FS will reject any persistent SSO cookie previously issued when the following conditions are met. 這將會要求提供認證為了再次使用 AD FS 進行驗證使用者。This will require the user to provide their credentials in order to authenticate with AD FS again.

  • 使用者變更密碼User changes password

  • AD FS 中停用持續 SSO 設定Persistent SSO setting is disabled in AD FS

  • 遺失或遭竊案例中的系統管理員裝置已停用Device is disabled by the administrator in lost or stolen case

  • AD FS 接收持續發出的使用者且已,但使用者的 SSO cookie 或不會再登記裝置AD FS receives a persistent SSO cookie which is issued for a registered user but the user or the device is not registered anymore

  • AD FS 接收持續 SSO cookie 且已使用者,但使用者重新登記。AD FS receives a persistent SSO cookie for a registered user but the user re-registered

  • AD FS 接收持續發出根據」[讓我保持登入」,但「[讓我保持登入] 的 SSO cookie AD FS 中停用設定AD FS receives a persistent SSO cookie which is issued as a result of “keep me signed in” but “keep me signed in” setting is disabled in AD FS

  • AD FS 接收持續發出且已使用者的 SSO cookie,但裝置憑證會在驗證期間遺失或已變更AD FS receives a persistent SSO cookie which is issued for a registered user but device certificate is missing or altered during authentication

  • AD FS 管理員已經設定為 SSO 持續的時間點。AD FS administrator has set a cutoff time for persistent SSO. AD FS 此設定時,將會拒絕發行之前這次任何持續 SSO cookieWhen this is configured, AD FS will reject any persistent SSO cookie issued before this time

    若要設定時間點,執行下列 PowerShell cmdlet:To set the cutoff time, run the following PowerShell cmdlet:

Set-AdfsProperties -PersistentSsoCutoffTime <DateTime>

讓 PSSO Office 365 使用者存取 SharePoint OnlineEnable PSSO for Office 365 users to access SharePoint Online

一旦 PSSO 支援,AD FS 中設定 AD FS 將寫入持續 cookie 使用者驗證。Once PSSO is enabled and configured in AD FS, AD FS will write a persistent cookie after a user has authenticated. 如果持續 cookie 仍然有效,包含,使用者在下一次使用者不必提供認證來驗證再試一次。The next time the user comes in, if a persistent cookie is still valid, a user does not need to provide credentials to authenticate again. 您也可以避免額外的驗證命令提示字元中的 Office 365,並藉由設定以下兩個 SharePoint Online 使用者宣告 AD FS,Microsoft Azure AD 和 SharePoint Online 觸發程序保存在規則。You can also avoid the additional authentication prompt for Office 365 and SharePoint Online users by configuring the following two claims rules in AD FS to trigger persistence at Microsoft Azure AD and SharePoint Online. 您需要安裝這個要使用的 Office 365 使用者存取 SharePoint online PSSO,請hotfix也是部分的2014 年 8 月更新彙總套件適用於 Windows RT 8.1,Windows 8.1、Windows Server 2012 R2To enable PSSO for Office 365 users to access SharePoint online, you need to install this hotfix which is also part of the of August 2014 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2.

通過 InsideCorporateNetwork 理賠要求發行轉換規則An Issuance Transform rule to pass through the InsideCorporateNetwork claim

@RuleTemplate = "PassThroughClaims"  
@RuleName = "Pass through claim - InsideCorporateNetwork"  
c:[Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork"]  
=> issue(claim = c);   
A custom Issuance Transform rule to pass through the persistent SSO claim  
@RuleName = "Pass Through Claim - Psso"  
c:[Type == "http://schemas.microsoft.com/2014/03/psso"]  
=> issue(claim = c);