Azure AD如何将用户扩展属性传递给多租户应用 [英] Azure AD How to pass userextension attributes to multitenant app
问题描述
在Azure AD中,我具有通过SAML2访问的多租户企业应用程序和应用程序注册.我收到一组有限的用户属性,包括租户ID,电子邮件,名字,姓氏.但是用户所属的组织已在我要在我的应用程序中使用的本地AD中定义了扩展属性.我也想在应用程序中收到jobTitle和Department.该组织表示,他们已经建立了从本地AD到Azure的属性同步.
In Azure AD i have a multi-tenant Enterprise Application and App registration that are accessed through SAML2. I receive a limited set of users attributes, including tenant-id, email, first name, last name. But the organisation that the user belongs to, has defined extension attributes in their on-premise AD that i want to consume in my application. Also i would like to receive the jobTitle and Department in the application. The organisation says they have set up synchonisation of the attributes from their on-premise AD to Azure.
我已经在企业应用程序"下添加了我想要的属性->单点登录->用户属性和声明->附加索赔.但是我显然仍然缺少某些配置,因为它们没有出现在SAML2令牌中.
I have added the attributes i want under the Enterprise Application -> Single sign-on -> User Attributes and Claims -> Additional claims. But i am obviously still missing some configuration somewhere because they do not appear in the SAML2 token.
我需要授予哪些API权限才能将这些属性传递给SAML2令牌?我需要添加其他东西来映射这些属性吗?
Which API permissions do i need to grant my application to pass these attributes through to the SAML2 token? Do i need to add something else to map these attributes?
推荐答案
当您设置多租户应用时,当客户的用户/租户登录时,它实际上会创建一个企业应用".(服务主体)在您的应用程序的租户中.
when you set up a multitenant app, when your client's users / tenant signs in, it actually creates an "enterprise application" (service principal) in their tenant for your app. https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-convert-app-to-be-multi-tenant#understand-user-and-admin-consent
因此,您的客户必须在自己的租户中进入应用程序的SSO(saml)设置屏幕,并自定义它们将向您的应用程序发出的声明.是否将属性声明添加到自己的SSO设置中都没有关系.多数民众赞成在你的房客,而不是他们的.
As per that, your client would have to go into the SSO (saml) setup screens for your app in their own tenant and customize the claims that they will emit to your application. It doesn't matter if you add the attribute claims to your own SSO setup. thats for your tenant, not theirs.
这篇关于Azure AD如何将用户扩展属性传递给多租户应用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
