如何在ADFS上使用openid验证同步的用户？ [英] How to authenticate synced users using openid on ADFS?

问题描述

我有以下情况：

使用 Azure AD Connect 将本地AD同步到AAD。天蓝色门户网站登录将与此本地AD联合。我需要允许这些同步的用户使用oauth2令牌端点 https://login.microsoftonline.com/tenantid.onmicrosoft.com/oauth2/v2.0/token 。为此，我在 App Registrations 上注册了一个应用程序，它对使用Azure门户创建的用户可以正常使用，但不适用于同步本地用户。这里的问题是因为仅用户名被同步，而没有密码。因此，当我向该端点发帖时，我得到一个错误，并说用户名或密码错误。

An on-premise AD synced to AAD using Azure AD Connect. The azure portal login is federated to this on-premise AD. I need to allow these synced users to authenticate in a mobile app using oauth2 token endpoint https://login.microsoftonline.com/tenantid.onmicrosoft.com/oauth2/v2.0/token. To make that possible, I registered an Application on App Registrations, and it´s working fine to the users which are created using the Azure Portal, but it does not work with the synced on-premise users. The problem here is because just the usernames are synced, without the password. So when I make a post to this endpoint I get and error saying that the username or password are wrong.

所以我被困在这里我需要配置什么为了使此工作有效，我已经阅读了许多Microsoft文档，但无法弄清楚该怎么做。

So I´m stuck here in what do I need to configure to make this work, I have read a lot of Microsoft documents but cannot figure out how to do that.

推荐答案

身份验证流程您正在使用的（资源所有者密码凭据）与联盟用户有关。
它有时会起作用，尽管我不太确定为什么。

The authentication flow you are using (Resource Owner Password Credentials) has issues with federated users. It has sometimes worked, though I'm not quite sure why.

您的应用应使用基于重定向的身份验证流程，例如门户。
不应处理用户密码并将其发布到Azure AD。
通过使用在授权码流程中，您的用户可以使用本地帐户/联合帐户/ Microsoft帐户/具有多重身份验证的帐户登录/重置过期密码。
您的应用无需关心用户进行身份验证的操作。

Your app should use a redirect-based authentication flow like the portal. It should not be handling user passwords and posting them to Azure AD. By using e.g. the Authorization Code flow, your users can sign in with a local account / federated account / Microsoft account / account with multi-factor authentication / reset an expired password. Your app does not need to care what the user had to do to authenticate.

使用ROPC流，您的用户无法使用多因素身份验证。
他们也不能重置过期的密码。

With ROPC flow, your users cannot use multi-factor authentication for example. They also cannot reset an expired password.

有关为什么要避免ROPC的更多想法，请参阅我的文章： https://joonasw.net/view/ropc-grant-flow-in-azure-ad

See my article for further thoughts on why to avoid ROPC: https://joonasw.net/view/ropc-grant-flow-in-azure-ad

这篇关于如何在ADFS上使用openid验证同步的用户？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！