SAML必需的权限AAD [英] SAML required Permissions AAD
问题描述
你好,
我对SAML机制的权限有疑问.目的是在此身份验证过程中使用ADAL SDK.我遵循了本指南(https://docs.microsoft.com/zh-cn/azure/active-directory/saas-apps/sap-customer-cloud-tutorial)进行设置
Azure AD.
Hello,
I have a question regarding the permissions for the SAML mechanism. The aim is to use the ADAL SDK within this authentication process. I followed this guide (https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/sap-customer-cloud-tutorial) to set
up Azure AD.
在简化的身份验证过程下面.
Below the simplified authentication process.
启用了SAML的应用程序(服务提供商)将定向到没有存储密码的AzureAD(IdentityProvider).提供UPN后,URL为https://login.microsoftonline.com/xxxxx,然后转发到内部ADFS,在其中输入密码 然后重定向到发生权限错误的Azure AD.
The SAML enabled application (Service Provider) directs to AzureAD ( the IdentityProvider) where no password is stored. The URL is https://login.microsoftonline.com/xxxxx, after providing the UPN I get forwarded to the internal ADFS where I enter the password and afterwards getting directed back to Azure AD where the permission error occurs.
在内部ADFS中为用户提供正确的凭据后,AzureAD中会出现有关AAD权限的错误.
After providing the right credentials for the user in the internal ADFS an error occurs in AzureAD regarding the permissions for AAD.
" AADSTS65005:应用程序配置错误.这可能是由于以下原因之一:
客户端未在请求中列出"AAD Graph"的任何权限
客户申请注册中的权限.或者,管理员不同意
在租户中."
"AADSTS65005: Misconfigured application. This could be due to one of the following:
The client has not listed any permissions for 'AAD Graph' in the requested
permissions in the client's application registration. Or, the admin has not consented
in the tenant."
除SAML流程所需的API之外,该应用程序不需要任何其他权限即可访问AzureAD上的某些API.在发生错误的情况下,仅设置了读取权限(应用程序和委派),我认为
由于要管理多个令牌,因此需要具有写权限,但是究竟是哪个?我不想给应用程序超出所需的权限.
在这种情况下,到底需要什么权限?
非常感谢您,
Flo
The Application doesn´t need any further permissions to access some APIs on AzureAD except the ones needed for the SAML process. In the scenario where the error occurs just reading permissions are set (application and delegation), I think there are also
writing permissions required due to the management of the several tokens, but which exactly? I don´t want to give the application more permissions than required.
What permissions are needed exactly in this scenario?
Thank you very much and kind regards,
Flo
推荐答案
查看在天蓝色活动目录下注册的应用程序的配置和权限.在配置和集成到SSO的天蓝色活动目录时,您必须为应用程序分配应用程序/委派权限.
see the configuration and permissions of application you registered under the azure active directory. You have to assign the application/ delegation permissions for your application while configuring and integrating to azure active directory for SSO.
检查其中一个示例的工作方式
Check the one of the example how it works
https://docs.microsoft.com/zh-CN/skype-sdk/websdk/docs/troubleshooting/auth/aadauth-delegatepermissions
https://docs.microsoft.com/en-us/skype-sdk/websdk/docs/troubleshooting/auth/aadauth-delegatepermissions
https://docs.microsoft.com/zh-cn/azure/active-directory/develop/quickstart-v1-integrate-apps-with-azure-ad#configure-a-client-application-to-access -web-apis
https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-v1-integrate-apps-with-azure-ad#configure-a-client-application-to-access-web-apis
这篇关于SAML必需的权限AAD的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
