如何以编程方式为基于库的应用程序配置Azure AD SSO? [英] How to configure Azure AD SSO programmatically for gallery-based application?
问题描述
我需要为Tableau Server Gallery应用程序配置Azure Active Directory SSO,因为它位于MS文档
I need to configure Azure Active Directory SSO for Tableau Server gallery app as it is under MS documentation link programmatically. Are there useful powershell cmdlets / rest apis?
I create application from gallery using graph api from Step 1 on MS docs. To get available templates:
GET https://graph.microsoft.com/beta/applicationTemplates
要创建模板应用,请执行以下操作:
To create template app:
POST https://graph.microsoft.com/beta/applicationTemplates/{id}/instantiate
现在,我需要从代码配置SAML SSO并分配用户.有没有简单的方法可以做到这一点?我尝试了 Set-AzureADApplication ,但它对我没有帮助.企业应用程序仍未设置. 也许还不支持?我相信可以有一些解决方法.我将不胜感激.
Now I need to configure SAML SSO from code and assign users. Is there an easy way to do that? I tried Set-AzureADApplication but it didn't do the job for me. The enterprise application is still not set. Maybe it's not supported yet? I believe there can be some workaround. I would be grateful for any help.
推荐答案
有没有有用的Powershell cmdlet/REST API?
Are there useful powershell cmdlets / rest apis?
是的,但是根据我的测试,我们需要将其分为两部分.
Yes, but per my test, we need to do that into two parts.
1.设置Sign-on URL,为此,我们需要调用Microsoft Graph-
1.Set the Sign-on URL, to do this, we need to call Microsoft Graph - Update serviceprincipal.
在图形资源管理器"中,使用下面的请求.
In the Graph Explorer, use the request below.
PATCH https://graph.microsoft.com/beta/servicePrincipals/<object-id of the service principal>
{
"loginUrl": "https://azure.signtest.link"
}
注意::在上述请求中,您需要使用服务主体(企业应用程序)的对象ID,而不是AD App(应用程序注册)的对象ID.您可以在门户网站的Azure AD中找到它-> Enterprise Application->找到Tableau Server->获取Object ID,如下所示.
Note: In the request above, you need to use the object-id of the service principal(Enterprise application), not the AD App(App registeration). You can find it in the Azure AD in the portal -> Enterprise Application -> find your Tableau Server -> get the Object ID like below.
2.设置Identifier和Reply URL,我们可以通过Powershell Set-AzureADApplication来实现.
2.Set the Identifier and Reply URL, we could do this via Powershell Set-AzureADApplication.
示例:
$Identifiers = @(
"http://www.tableau.com/products/server",
"https://azure.idtest.link"
)
$ReplyUrls = @(
"https://azure.rptest.link/wg/saml/SSO/index.html"
)
Set-AzureADApplication -ObjectId <object-id of the AD App> -IdentifierUris $Identifiers -ReplyUrls $ReplyUrls
对于object-id of the AD App,在门户中导航到Azure AD-> App registrations->查找您的Tableau Server.运行命令后,设置将映射到企业应用程序.
For the object-id of the AD App, navigate to the Azure AD in the portal -> App registrations -> find your Tableau Server. After running the command, the settings will map to the enterprise application.
在门户中查看结果:
更新:
不确定这是否是一个错误,如果我创建一个新的应用程序时没有在门户中手动设置Identifier和Reply URL,那么仅使用上面的Powershell进行设置,它们将不会映射到门户.
Not sure if it is a bug, if I create a new app without setting the Identifier and Reply URL manually in the portal, then just use the powershell above to set them, they will not map to the portal.
但是,如果我们直接通过Microsoft Graph检查服务主体(企业应用程序),则可以看到Powershell实际上影响了服务主体.
But if we check the service principal(enterprise application) directly via Microsoft Graph, we can see the powershell actually affected the service principal.
如果我们首先在门户中手动配置设置,然后使用Powershell使用其他值更新设置,则它会起作用.
If we configure the settings manually in the portal first, then use the powershell to update them with other values, it works.
并且看来没有办法通过powrshell或API设置Default Reply URL,如果我们设置的Reply URL与门户中的手动设置不同,则会出现如下提示.
And it looks there is no way to set the Default Reply URL via powrshell or API, if we set the Reply URL which is different from the one set manually in the portal, it will have a prompt like below.
但是,如果我们仔细研究,实际上会选中Default选项.
But if we look into it, actually the Default option is checked.
Update2:
最终,我找到了窍门,这不是一个错误,我们只需要首先通过Microsoft Graph为服务主体设置preferredSingleSignOnMode,然后就不需要在门户中手动配置它了.
Eventually, I find the trick, it is not a bug, we just need to set the preferredSingleSignOnMode for the service principal first via Microsoft Graph, then we won't need to configure that in the portal manually.
示例:
PATCH https://graph.microsoft.com/beta/servicePrincipals/<object-id of the service principal>
{
"preferredSingleSignOnMode":"saml",
"loginUrl": "https://azure.signtest.link"
}
这篇关于如何以编程方式为基于库的应用程序配置Azure AD SSO?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
