在Azure AD多租户应用上登录的自定义品牌 [英] Custom Branding for Login on a Azure AD Multi-Tenant App
问题描述
问题:如何自定义Azure AD应用程序登录页面的品牌? (请注意:不我的组织的登录页面;请参见下文)
Question: How can I custom brand my Azure AD application login page? (note: NOT my org's login page; see below)
我在Azure中托管了一个Web应用程序,用户可以在其中使用在应用程序内创建和管理的帐户登录.由于许多大型组织都在使用我的应用程序,因此我增加了客户也可以使用由其组织管理的帐户登录的功能(单点登录).这是使用Azure Active Directory完成的,该目录将本地AD帐户同步到进行云身份验证的Azure中.由于许多组织都使用各自独立的AD来使用此应用程序,因此我在Azure中以多租户身份创建了Active Directory应用程序.完成所有这些操作后,新的登录过程可以完美运行,但是,我无法弄清楚如何为Microsoft托管应用程序登录页面打上烙印.
I have a web application hosted in Azure where users can log in using accounts that are created and managed within the application. Since my application is used by many big organizations, I have added the capability for customers to also sign in using their account that's managed by their organization (single sign on). This was done using Azure Active Directory, which syncs the local AD accounts into Azure where cloud authentication occurs. Since this application is used by many organizations all with their own separate ADs, I created the Active Directory application within Azure as multi-tenanted. With all of this done, the new login process works perfectly, however, I can't figure out how to brand the Microsoft hosted application sign in page.
请记住,应用程序登录页面和组织的租户登录页面之间是有区别的.关于如何为组织的租户登录页面打上商标,但没有应用程序登录页面打上商标,则有足够的文档.考虑应用程序流程以了解差异:
Please keep in mind the distinction between the application login page and the organization's tenant login page. There is ample documentation about how to brand the organization's tenant login page, but not the application login page. Consider the application flow to understand the difference:
-
用户转到我的应用程序的登录页面,然后选择使用您现有的组织帐户登录".
User goes to my app's login page, and chooses "Login with your existing organization account".
用户被重定向到我的应用程序的Microsoft托管登录页面 .在这一点上,Microsoft/Azure Ad仅知道该应用程序是针对哪个应用程序的.它尚不知道谁在登录或他们属于哪个租户(组织). 这是我需要帮助品牌化的登录页面(徽标和页面背景).
The user is redirected to a Microsoft hosted login page for my application. At this point, Microsoft/Azure Ad only knows which application this is for; it doesn't yet know who is logging in or which tenant (organization) they belong to. This is the login page I need help branding (logo & page background).
在用户输入电子邮件地址之后(甚至在输入密码之前),用户将被重定向到另一个登录页面-用户组织(即其租户)的登录页面.此页面显示该组织的自定义品牌(如果已设置). 这不是我要标记的登录页面;
After the user enters their email address (and even before they enter their password), the user is redirected to a different login page--the login page for the user's organization (i.e. their tenant). This page shows that organization's custom branding if it was setup. This is not the login page I wish to brand; it is my customer's responsibility to brand their org if they desire.
用户在组织的登录页面上输入密码后,用户将提交表单.然后,Azure成功地对它们进行身份验证,并将其重定向回我的应用程序中,现在它们也已通过身份验证.
After the user enters their password on their organization's login page, the user submits the form. Azure then successfully authenticates them and redirects them back to my application where they are now authenticated as well.
注意:这应该是可能的,因为您可以看到Microsoft也在其所有云应用程序(Office 365,Visual Studio,Azure门户)上都这样做了
NOTE: this should be possible as you can see Microsoft is doing it on all of their cloud apps as well (Office 365, Visual Studio, Azure Portal)
注意:这个问题是在3年前提出的,但仅给出了1个错误的答案,自那时以来,Azure和Azure AD发生了翻天覆地的变化.请参阅: Azure Active Directory自定义品牌登录页面不适用于第三方应用程序.另外,Microsoft文档仅涵盖租户登录页面的品牌,而不涉及我所寻求的应用程序登录页面.请参阅: https://docs. microsoft.com/en-us/azure/active-directory/active-directory-add-company-branding .
NOTE: this question was asked over 3 years ago, but only 1 misdirected answer was given, and Azure and Azure AD has changed drastically since then. See: Azure Active Directory Custom Branded login page dont work with third party application. Also, the Microsoft documentation only covers the branding of the tenant login page, not the application login page like I am seeking. See: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-add-company-branding.
推荐答案
您观察到的内容仅适用于Microsoft拥有的应用程序. 客户只能为他们的组织登录页面打上烙印. 但是,您可以做的是将用户重定向到您的组织登录页面.然后,用户将首先看到的是您的公司品牌.输入登录名后,他们可能会看到其自定义组织登录页面(如果组织已自定义登录体验). 如果您需要查看此类功能(每个应用程序自定义登录页面),则可以在UserVoice网站上创建功能请求- http://mygreatwindowsazureidea.com/
What you observe is only possible for Microsoft owned applications. The customers can only brand their organisation login page. What you can do however, is to redirect the user to your org login page. Then the first thing the user will see is your company branding. After they enter their login name, they may see their custom org login page (if the organisation has customized the login experience). If you such a feature (per app custom login page) is something worth looking at, you can create a feature request on the UserVoice site - http://mygreatwindowsazureidea.com/
请注意-目前,每个应用程序的自定义登录页面仅可通过自定义策略实现在Azure AD B2C上使用.
Just as a note - per app custom login page is today only possible on Azure AD B2C via custom policy implementation.
这篇关于在Azure AD多租户应用上登录的自定义品牌的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
