加入的任何裝置 SSO 和順暢的第二個工作地點因數驗證跨公司應用程式Join to Workplace from Any Device for SSO and Seamless Second Factor Authentication Across Company Applications

適用於: Windows Server 2012 R2Applies To: Windows Server 2012 R2

快速消費者裝置,並普遍資訊存取權的數目增加變更連絡人察覺技術的方式。The rapid increase in the number of consumer devices and ubiquitous information access is changing the way that people perceive their technology. 常使用的資訊技術整天輕鬆存取的資訊,以及模糊傳統工作和家庭生命之間的邊界。The constant use of information technology throughout the day, along with easy access of information, is blurring traditional boundaries between work and home life. 這些轉移邊界附帶信念技術選取及自訂使用者人物簡介預覽、活動及排程調整的個人-應該延伸到地點。These shifting boundaries are accompanied by a belief that personal technology-selected and customized to fit users' personalities, activities, and schedules-should extend into the workplace. 若要調整的個人消費者裝置連接到企業網路越來越需求,我們引進下列值建議:To accommodate the growing requirement of personal consumer devices to be connected to enterprise networks, we are introducing the following value propositions:

  • 系統管理員可以控制者可存取應用程式、 使用者、 裝置和位置為基礎的公司資源。Administrators can control who has access to company resources that are based on application, user, device, and location.

  • 員工可以在任何裝置上存取應用程式與地方,資料。Employees can access applications and data everywhere, on any device. 員工可以在瀏覽器應用程式或企業中使用單一登入。Employees can use Single Sign-On in browser applications or enterprise applications.

主要概念方案Key concepts introduced in the solution

加入的工作地點Workplace Join

使用工作地點加入,資訊的背景工作就可以加入存取公司資源和服務的公司的工作地點電腦使用個人裝置。By using Workplace Join, information workers can join their personal devices with their company's workplace computers to access company resources and services. 當您到您的工作場所加入您的個人裝置時,在 [已知的裝置,並提供順暢的第二個因數驗證和單一登入的工作地點資源和應用程式。When you join your personal device to your workplace, it becomes a known device and provides seamless second factor authentication and Single Sign-On to workplace resources and applications. 當裝置已加入所加入的工作地點時,可以擷取屬性裝置的 directory 從磁碟機條件存取為了授權的應用程式的安全性權杖發行。When a device is joined by Workplace Join, attributes of the device can be retrieved from the directory to drive conditional access for the purpose of authorizing issuance of security tokens for applications. Windows 8.1 和 iOS 6.0 + 和 Android 4.0 + 裝置可以使用工作地點加入加入。Windows 8.1 and iOS 6.0+, and Android 4.0+ devices can be joined by using Workplace Join.

Azure Active Directory 裝置登記服務Azure Active Directory Device Registration service

地點加入 Azure Active Directory 裝置登記服務是由可能。Workplace Join is made possible by the Azure Active Directory Device Registration service. 當裝置已加入所加入的工作地點時,服務 provisions 裝置在 Azure Active Directory 物件,並會用來表示裝置的身分本機裝置上設定按鍵。When a device is joined by Workplace Join, the service provisions a device object in Azure Active Directory and then sets a key on the local device that is used to represent the device identity. 此裝置的身分裝載的雲端和先在應用程式再使用與存取控制規則。This device identity can then be used with access control rules for applications that are hosted in the cloud and on-premises.

如需關於 Azure Active Directory 裝置登記服務的詳細資訊,請查看Azure Active Directory 裝置登記服務概觀For more information about enabling Azure Active Directory Device registration service, see Azure Active Directory Device Registration Service Overview.

為順暢的第二個工作地點加入因素驗證Workplace Join as a seamless second factor authentication

公司可以管理相關資訊存取及磁碟機控管時授消費者與企業資源存取裝置的相容性風險。Companies can manage the risk that is related to information access and drive governance and compliance while granting consumer devices access to corporate resources. 在裝置上的工作地點加入提供給系統管理員下列功能:Workplace Join on devices provides the following capabilities to administrators:

  • 裝置驗證辨識已知的裝置。Identifies known devices with device authentication. 系統管理員可以使用此資訊來資源磁碟機條件存取和控制存取。Administrators can use this information to drive conditional access and control access to resources.

  • 提供更順暢登入體驗的使用者存取公司資源來自信任的裝置。Provides a more seamless sign-in experience for users to access company resources from trusted devices.

單一登入Single Sign-On

單一登入 (SSO) 在本案例的範圍是減少密碼提示輸入存取公司資源已知的裝置的使用者的功能。Single Sign-On (SSO) in the context of this scenario is the functionality that reduces the number of password prompts that the end user has to enter to access company resources from known devices. 這項功能,表示使用者接到生命 SSO 存取公司應用程式和資源此裝置上的一次。This functionality implies that users are prompted only one time during the lifetime of SSO to access company applications and resource from this device. 如果裝置使用工作地點加入,係使用此裝置的使用者會取得七天預設持續 SSO]。If a device uses Workplace Join, the user who is registered to use this device gets persistent SSO, by default for seven days. 此使用者有順暢登入體驗在相同的工作階段,或在新增工作階段。This user has a seamless sign-in experience in the same session or in new sessions.

方案概觀Solution Overview

此方案的一部分,您了解如何使用工作地點加入支援的裝置,並且在公司資源體驗單一登入。As part of this solution, you learn how to use Workplace Join on a supported device and experience Single Sign-On to a company resource.

注意

您必須支援 Windows 8.1,iOS 6.0 + 和 Android 4.0 + 裝置,以及裝置物件寫入返回設定 Azure Active Directory 裝置登記、查看上場所條件使用 Azure Active Directory 裝置登記服務的存取逐步指南To support Windows 8.1, iOS 6.0+, and Android 4.0+ devices, you MUST configure Azure Active Directory Device Registration along with device object write-back, see Step-by-Step Guide for On-premises Conditional Access using Azure Active Directory Device Registration Service

此方案需要會引導您進行下列逐步解說步驟:This solution guides takes you through the following walkthrough steps:

  1. Windows 裝置的逐步解說: 地點加入Walkthrough: Workplace Join with a Windows Device

  2. 逐步解說: IOS 裝置加入的工作地點Walkthrough: Workplace Join with an iOS Device

也了See Also

設定聯盟伺服器裝置登記服務與Configure a federation server with Device Registration Service