Azure AD-无缝SSO [英] Azure AD - Seamless SSO

问题描述

我们正在为加入域的设备寻找Seamless SSO.
链接:https://docs.microsoft.com/zh-cn/azure/active-directory/hybrid/how-to-connect-sso


设置看起来非常简单，并且用户体验得到了很大改善.
我对此仍然有些担心，因为我们没有密码同步，也没有ADFS.
我们所有的用户都启用了MFA.

1.如果本地基础结构存在问题怎么办?在这种情况下，您将如何进行身份验证?
2.不创建单点故障吗?
3.永远不会在内部登录并且不知道其内部密码的用户会发生什么
4.您是否仍可以使用Office 365凭据而不是本地凭据登录?

Hi,

We are looking into Seamless SSO for our domain joined devices.
Link: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso


While the setup seems very simple and the user-experience is improved a lot.
I still have some concerns regarding this as we don't have password sync in place and no ADFS.
All our users have MFA enabled.

1. What if there is an issue with the on-premise infrastructure? How will you authenticate in that case?
2. Don't you create a Single Point of Failure?
3. What will happen to users that never login on-premise and don't know their on-prem password
4. Can you still use your Office 365 credentials, rather than the on-prem credentials, to login? Can you use both?

推荐答案

您好，AITu86，

Hi AITu86, 

您是否有未使密码哈希同步生效的原因吗?这与Seamless SSO一起正常工作.
如果密码泄漏，还可以提供见解.

Is there a reason you have not enbled Password hash synchronization? This works fine with Seamless SSO.
And also provides insight if passwords are leaked.

4.您是否仍可以使用Office 365凭据而不是本地凭据登录?可以同时使用吗?
如果您使用Azure AD Connect，则可以使用相同的凭据.

1. What if there is an issue with the on-premise infrastructure? How will you authenticate in that case?
If PTA / ADFS is deployed and unaviable you wont be able to authenticate to Azure AD
2. Don't you create a Single Point of Failure?
You can, but you can also deploy PTA agent to different servers on-prem. You will still have to have working Communication to on-premises though.
3. What will happen to users that never login on-premise and don't know their on-prem password
Use Azure AD Connect to use same credentials on-prem and in Azure AD / Office 365
4. Can you still use your Office 365 credentials, rather than the on-prem credentials, to login? Can you use both?
If you use Azure AD Connect you can use the same credentials. 

https://docs.microsoft. com/zh-CN/azure/security/azure-ad-choose-authn

https://docs.microsoft.com/en-us/azure/security/azure-ad-choose-authn

下面是今年Ignite的一堂课，讲解了使用PHS/SSO的最佳实践和好处

Below is a session at Ignite from this year that explains best practice and benefits using PHS / SSO

混合身份和访问管理

这篇关于Azure AD-无缝SSO的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！