Azure Active Directory B2C 中的单一登录会话管理Single sign-on session management in Azure Active Directory B2C

备注

在 Azure Active Directory B2C 中,custom policies 主要用于解决复杂方案。In Azure Active Directory B2C, custom policies are designed primarily to address complex scenarios. 大多数情况下,建议使用内置的用户流For most scenarios, we recommend that you use built-in user flows.

单一登录 (SSO) 会话管理使用的语义与自定义策略中其他任何技术配置文件使用的语义相同。Single sign-on (SSO) session management uses the same semantics as any other technical profile in custom policies. 执行某个业务流程步骤时,会在与该步骤关联的技术配置文件中查询 UseTechnicalProfileForSessionManagement 引用。When an orchestration step is executed, the technical profile associated with the step is queried for a UseTechnicalProfileForSessionManagement reference. 如果存在该引用,则会检查引用的 SSO 会话提供程序,确定用户是否为会话参与者。If one exists, the referenced SSO session provider is then checked to see if the user is a session participant. 如果是,则使用 SSO 会话提供程序来重新填充会话。If so, the SSO session provider is used to repopulate the session. 同样,在完成执行某个业务流程步骤后,如果已指定 SSO 会话提供程序,则使用该提供程序将信息存储在会话中。Similarly, when the execution of an orchestration step is complete, the provider is used to store information in the session if an SSO session provider has been specified.

Azure AD B2C 定义了大量可用的 SSO 会话提供程序:Azure AD B2C has defined a number of SSO session providers that can be used:

会话提供程序Session provider 作用域Scope
NoopSSOSessionProviderNoopSSOSessionProvider None
DefaultSSOSessionProviderDefaultSSOSessionProvider Azure AD B2C 内部会话管理器。Azure AD B2C internal session manager.
ExternalLoginSSOSessionProviderExternalLoginSSOSessionProvider 在 Azure AD B2C 和 OAuth1、OAuth2 或 OpenId 连接标识提供者之间。Between Azure AD B2C and OAuth1, OAuth2, or OpenId Connect identity provider.
OAuthSSOSessionProviderOAuthSSOSessionProvider 在 OAuth2 或 OpenId 连接依赖方应用程序和 Azure AD B2C 之间。Between an OAuth2 or OpenId connect relying party application and Azure AD B2C.
SamlSSOSessionProviderSamlSSOSessionProvider 在 Azure AD B2C 和 SAML 标识提供者之间。Between Azure AD B2C and SAML identity provider. 以及在 SAML 服务提供商(信赖方应用)和 Azure AD B2C 之间。And between a SAML service provider (relying party application) and Azure AD B2C.

SSO 管理类是使用技术配置文件的 <UseTechnicalProfileForSessionManagement ReferenceId="{ID}" /> 元素指定的。SSO management classes are specified using the <UseTechnicalProfileForSessionManagement ReferenceId="{ID}" /> element of a technical profile.

输入声明Input claims

InputClaims 元素为空或不存在。The InputClaims element is empty or absent.

持久化声明Persisted claims

需要返回到应用程序或在后续步骤中由前置条件使用的声明,应该存储在会话中或通过从目录中用户配置文件读取来进行扩充。Claims that need to be returned to the application or used by preconditions in subsequent steps, should be stored in the session or augmented by a read from the user's profile in the directory. 使用持久化声明可确保身份验证旅程不会在缺少声明时失败。Using persisted claims ensures that your authentication journeys won't fail on missing claims. 若要在会话中添加声明,可使用技术配置文件的 <PersistedClaims> 元素。To add claims in the session, use the <PersistedClaims> element of the technical profile. 使用提供程序重新填充会话时,持久保存的声明会添加到声明包。When the provider is used to repopulate the session, the persisted claims are added to the claims bag.

输出声明Output claims

<OutputClaims> 用于从会话中检索声明。The <OutputClaims> is used for retrieving claims from the session.

会话提供程序Session providers

NoopSSOSessionProviderNoopSSOSessionProvider

顾名思义,此提供程序不执行任何操作。As the name dictates, this provider does nothing. 此提供程序可用于抑制特定技术配置文件的 SSO 行为。This provider can be used for suppressing SSO behavior for a specific technical profile.

<TechnicalProfile Id="SM-Noop">
  <DisplayName>Noop Session Management Provider</DisplayName>
  <Protocol Name="Proprietary" Handler="Web.TPEngine.SSO.NoopSSOSessionProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
</TechnicalProfile>

DefaultSSOSessionProviderDefaultSSOSessionProvider

此提供程序可以用于在会话中存储声明。This provider can be used for storing claims in a session. 此提供程序通常在用于管理本地和联合帐户的技术配置文件中引用。This provider is typically referenced in a technical profile used for managing local and federated accounts.

<TechnicalProfile Id="SM-AAD">
  <DisplayName>Session Management Provider</DisplayName>
  <Protocol Name="Proprietary" Handler="Web.TPEngine.SSO.DefaultSSOSessionProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
  <PersistedClaims>
    <PersistedClaim ClaimTypeReferenceId="objectId" />
    <PersistedClaim ClaimTypeReferenceId="signInName" />
    <PersistedClaim ClaimTypeReferenceId="authenticationSource" />
    <PersistedClaim ClaimTypeReferenceId="identityProvider" />
    <PersistedClaim ClaimTypeReferenceId="newUser" />
    <PersistedClaim ClaimTypeReferenceId="executed-SelfAsserted-Input" />
  </PersistedClaims>
  <OutputClaims>
    <OutputClaim ClaimTypeReferenceId="objectIdFromSession" DefaultValue="true"/>
  </OutputClaims>
</TechnicalProfile>

此技术配置文件管理多重身份验证会话。This technical profile manages the multi-factor authentication session.

<TechnicalProfile Id="SM-MFA">
  <DisplayName>Session Mananagement Provider</DisplayName>
  <Protocol Name="Proprietary" Handler="Web.TPEngine.SSO.DefaultSSOSessionProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
  <PersistedClaims>
    <PersistedClaim ClaimTypeReferenceId="Verified.strongAuthenticationPhoneNumber" />
  </PersistedClaims>
  <OutputClaims>
    <OutputClaim ClaimTypeReferenceId="isActiveMFASession" DefaultValue="true"/>
  </OutputClaims>
</TechnicalProfile>

ExternalLoginSSOSessionProviderExternalLoginSSOSessionProvider

此提供程序用于禁止“选择标识提供者”屏幕并从联合标识提供者注销。This provider is used to suppress the "choose identity provider" screen and sign-out from a federated identity provider. 它通常在为联合标识提供者(如 Azure Active Directory)配置的技术配置文件中引用。It is typically referenced in a technical profile configured for a federated identity provider, such as Azure Active Directory.

<TechnicalProfile Id="SM-SocialLogin">
  <DisplayName>Session Management Provider</DisplayName>
  <Protocol Name="Proprietary" Handler="Web.TPEngine.SSO.ExternalLoginSSOSessionProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
  <Metadata>
    <Item Key="AlwaysFetchClaimsFromProvider">true</Item>
  </Metadata>
  <PersistedClaims>
    <PersistedClaim ClaimTypeReferenceId="AlternativeSecurityId" />
  </PersistedClaims>
</TechnicalProfile>

MetadataMetadata

属性Attribute 必须Required 说明Description
AlwaysFetchClaimsFromProviderAlwaysFetchClaimsFromProvider No 当前未使用,可以忽略。Not currently used, can be ignored.

OAuthSSOSessionProviderOAuthSSOSessionProvider

此提供程序用于管理 OAuth2 或 OpenId 连接信赖方与 Azure AD B2C 之间的 Azure AD B2C 会话。This provider is used for managing the Azure AD B2C sessions between a OAuth2 or OpenId Connect relying party and Azure AD B2C.

<TechnicalProfile Id="SM-jwt-issuer">
  <DisplayName>Session Management Provider</DisplayName>
  <Protocol Name="Proprietary" Handler="Web.TPEngine.SSO.OAuthSSOSessionProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
</TechnicalProfile>

SamlSSOSessionProviderSamlSSOSessionProvider

此提供程序用于管理信赖方应用程序或联合 SAML 标识提供者之间的 Azure AD B2C SAML 会话。This provider is used for managing the Azure AD B2C SAML sessions between a relying party application or a federated SAML identity provider. 使用 SSO 提供程序存储 SAML 标识提供者会话时,RegisterServiceProviders 必须设为 falseWhen using the SSO provider for storing a SAML identity provider session, the RegisterServiceProviders must be set to false. 以下 SM-Saml-idp 技术配置文件由 SAML 标识提供者技术配置文件使用。The following SM-Saml-idp technical profile is used by the SAML identity provider technical profile.

<TechnicalProfile Id="SM-Saml-idp">
  <DisplayName>Session Management Provider</DisplayName>
  <Protocol Name="Proprietary" Handler="Web.TPEngine.SSO.SamlSSOSessionProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
  <Metadata>
    <Item Key="RegisterServiceProviders">false</Item>
  </Metadata>
</TechnicalProfile>

使用提供程序存储 B2C SAML 会话时,RegisterServiceProviders 必须设为 trueWhen using the provider for storing the B2C SAML session, the RegisterServiceProviders must set to true. 需要 SessionIndexNameID 才能完成 SAML 会话注销。SAML session logout requires the SessionIndex and NameID to complete.

以下 SM-Saml-issuer 技术配置文件由 SAML 颁发者技术配置文件使用The following SM-Saml-issuer technical profile is used by SAML issuer technical profile

<TechnicalProfile Id="SM-Saml-issuer">
  <DisplayName>Session Management Provider</DisplayName>
  <Protocol Name="Proprietary" Handler="Web.TPEngine.SSO.SamlSSOSessionProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"/>
</TechnicalProfile>

MetadataMetadata

属性Attribute 必须Required 说明Description
IncludeSessionIndexIncludeSessionIndex No 当前未使用,可以忽略。Not currently used, can be ignored.
RegisterServiceProvidersRegisterServiceProviders No 指示提供程序应注册已颁发断言的所有 SAML 服务提供程序。Indicates that the provider should register all SAML service providers that have been issued an assertion. 可能的值为 true(默认)或 falsePossible values: true (default), or false.

后续步骤Next steps