有关B2B的问题 [英] A question about B2B
问题描述
你好
据我对B2B的了解,您最终会在Azure AD中创建一个对象(存根对象),以便将对B2B合作伙伴的访问权限授予您的一种资源(例如,您正在创建一个可以包含在其中的对象ACL访问控制列表)
As far as I understand it with B2B you ultimately create a object (stub object) in your Azure AD in order to give access to your B2B partner to one of your resources (e.g. you are creating an object which can be included in ACL access control list)
使用B2C,您无需在广告中创建对象,而可以依赖于纯联盟,例如google,facebook,amazonon等作为IDp,并提供签名令牌以呈现给Microsoft STS,然后Microsoft STS可以将此叹为观止的SAML/JWT转换为令牌 选择(例如Azure访问令牌,使用转换规则或其他方法).
With B2C you do not need to create a object in your AD, just rather can rely on pure federation e.g. google, facebook, amazon etc. to be the Idp and provide a signed token to present to the Microsoft STS which can then turn this sighed SAML/JWT into a token of its choosing (e.g. Azure access token, using transform rules or what ever).
以上是否正确? (如果没有请更正),换句话说,我不能以与B2C相同的方式使用B2B
If the above is correct? (please correct me if not), can I not use B2B in the same way as B2C in other words
如果我的Azure租户中有AppX,并且我想授予Z公司的合作伙伴公司对AppX的访问权限,我可以执行以下操作
if I have AppX within my Azure tenant and I want to give a partner company at Company-Z access to AppX can I do the following
在我的Azure AD中创建一个名为GroupX的组,该组的成员可以访问AppX,然后当外部用户使用纯联盟身份验证(例如,通过Google)进行身份验证并且Microsoft STS使用哪个Google签名令牌时,Microsoft上的转换规则可以 STS(或者也许您必须站立自己的ADFS服务器)提供了一个Azure访问令牌,该令牌指出用户是GroupX的成员(即使他们在我的Azure AD中没有任何类型的对象).基本上类似于Kerberos票证的方式, PAC详细说明了对用户具有的SID进行分组的方法.构造一个Azure令牌,并且转换规则暗示组成员身份,以便访问令牌可以用于获得对AppX的访问权限,而无需在我的Azure AD中创建任何类型的对象?
Create a group in my Azure AD called GroupX whose members can access AppX, then when an external user authenticates using pure federation (e.g. via Google) and the Microsoft STS consumes which google signed token, can the transform rules on the Microsoft STS (or perhaps you have to stand up your own ADFS Server) provide an Azure access token which states the user is a member of GroupX (even if they do not have an object of any kind in my Azure AD). Basically in a similar way to a Kerberos ticket where the PAC details which groups SIDs the user has. Construct an Azure token and the transform rules imply group membership so the access token can then be used to gain access to AppX without ever creating an object of any kind in my Azure AD ?
谢谢
__ Cashtones
__Cashtones
推荐答案
不,那是不正确的,同样在B2C中,您将有一个存根对象"(stub object).在您的B2C租户中.
no thats not correct, also in B2C you will have a "stub object" in your B2C tenant.
例如,存储附加属性,或者要将一个B2C对象链接到多个IdP(AltSecInfo属性)
For example to store additonal attributes or if you want to link one B2C object to multiple IdPs (AltSecInfo Attribute)
B2B或B2C之间的决定更多地取决于外部"类别.用户以及您想依靠邀请(B2B)或自助服务注册(B2C)
The decision between B2B or B2C is more on the kind of "external" users and of you want to rely on invitations (B2B) or self-service registration (B2C)
B2B主要面向业务合作伙伴,外国顾问或客户.
B2B is mainly intend for business partner, foreign consultants or customer.
B2C主要面向消费者
B2C is mainly intend for consumer
/彼得
这篇关于有关B2B的问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
