使用Azure AD(SAML)一次注销 [英] Single logout with Azure AD (SAML)
问题描述
你好.
我正在尝试从Azure文档中整理所有信息,以了解配置基于SAML的SLO的正确方法.
I'm trying to sort out all info from Azure documentation to understand the proper way of configuring SAML-based SLO.
我已经配置了应用程序,并且具有单点登录功能.通过Azure Active Directory添加了应用程序->企业应用程序->非画廊应用程序.
I have configured application, with single sign-on. Application was added via Azure Active Directory -> Enterprise Applications -> Non-gallery application.
在这里我可以下载元数据,还可以看到IDP注销URL https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0
Here I can download metadata and also see IDP Logout Url https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0
然后,我去了应用程序注册并添加了注销URL.(顺便说一句,为什么在企业应用程序"部分添加应用程序时无法执行此操作?如果应用程序是 添加到其中一个中,之后我可以在另一个中看到它
Then I went to Application registration and added logout url. (BTW, why this action can't be done while adding app in Enterprise Application section? And what is the difference between Application Registration and Enterprise Applications, if app was added in one of them, after this I can see it in other)
但是,根据文档,应该以这种方式实现单一注销https://docs.microsoft.com/zh-CN/azure/active-directory/develop/single-sign-out-saml-protocol
However according to documentation Single Logout should be implemented this way https://docs.microsoft.com/en-us/azure/active-directory/develop/single-sign-out-saml-protocol
那么,哪种方法是正确的:
So, which approach is right:
1)使用此链接中的步骤,并将LogoutRequest发送到元数据中的url:
1) Use steps from this link and send LogoutRequest to url from metadata:
< SingleLogoutService Binding =" urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect位置="https://login.microsoftonline.com/{id}/saml2" />
或
2)获取 https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0
2) GET https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0
文档中也有一条注释,指出IDP应该从应用程序的元数据中获取应用程序LogoutUrl和签名密钥,但是我找不到可以将应用程序的元数据上载到Azure的地方.
Also there is a note in documentation that application LogoutUrl and signing key should be fetched by IDP from app's metadata, however I can't find where app's metadata can be uploaded to Azure.
推荐答案
关于您关于应用程序注册和企业应用程序之间的区别的第一个问题,企业应用程序是应用程序的一个实例, 而注册是将您的应用程序与Azure AD集成的步骤.
For your first question about the difference between Application Registration and Enterprise Application, the Enterprise Application is an instance of the application, whereas the registration is the step to integrate your application with Azure AD.
E 企业应用是组织内已部署和使用的应用程序,您可以管理它们的单点登录设置 通过天蓝色的门户网站.如果您要添加 您自己的应用 如果您的应用 是从图库添加的,您无法配置回复URL.您只能在应用程序注册"中配置自己的应用程序.
Enterprise apps are apps that are deployed and used within your organization and you can manage single sign-on settings for them by azure portal. If you want to add your own app and integrate it with Azure AD, you need to register the app in App registrations. Also, if you grant permissions to your App, it will occur in Enterprise applications. If your app is added from gallery, you cannot configure the Reply URL. You can only configure your own app in Application registrations.
https://docs.microsoft.com/zh-CN/azure/active-directory/saas -apps/google-apps-tutorial
对于单点退出,我将参考本指南中采取的步骤 https ://docs.microsoft.com/zh-CN/azure/active-directory/develop/single-sign-out-saml-protocol
For Single Sign-Out I would refer to the steps taken in this guide https://docs.microsoft.com/en-us/azure/active-directory/develop/single-sign-out-saml-protocol
> >
一旦配置好,当用户从访问面板https://myapps.microsoft注销时. com,Azure AD会将注销消息广播到您的终结点以进行单点注销.
这篇关于使用Azure AD(SAML)一次注销的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
