使用 Azure AD B2C 标识体验框架定义信任框架Define Trust Frameworks with Azure AD B2C Identity Experience Framework

利用标识体验框架的 Azure Active Directory B2C (Azure AD B2C) 自定义策略可以为组织提供集中式服务。Azure Active Directory B2C (Azure AD B2C) custom policies that use the Identity Experience Framework provide your organization with a centralized service. 此服务降低了大型社区利益体中联合身份验证的复杂性。This service reduces the complexity of identity federation in a large community of interest. 复杂性会降低到单一信任关系和单个元数据交换。The complexity is reduced to a single trust relationship and a single metadata exchange.

使用 Identity Experience Framework 的 Azure AD B2C 自定义策略使你能够回答以下问题:Azure AD B2C custom policies use the Identity Experience Framework to enable you to answer the following questions:

  • 必须遵守哪些法律、安全、隐私和数据保护策略?What are the legal, security, privacy, and data protection policies that must be adhered to?
  • 谁是联系人,成为认可参与者的过程是什么?Who are the contacts and what are the processes for becoming an accredited participant?
  • 谁是认可的标识信息提供者(也称为“声明提供方”),他们发挥哪些作用?Who are the accredited identity information providers (also known as "claims providers") and what do they offer?
  • 谁是认可的信赖方(还可以询问他们需要什么)?Who are the accredited relying parties (and optionally, what do they require)?
  • 参与者的“在线”技术互操作性要求是什么?What are the technical “on the wire” interoperability requirements for participants?
  • 必须强制实施哪些“运行时”操作规则来交换数字标识信息?What are the operational “runtime” rules that must be enforced for exchanging digital identity information?

为了解答这些问题,使用标识体验框架的 Azure AD B2C 自定义策略利用了信任框架 (TF) 构造。To answer all these questions, Azure AD B2C custom policies that use the Identity Experience Framework use the Trust Framework (TF) construct. 我们来分析此构造及其作用。Let’s consider this construct and what it provides.

了解信任框架和联合管理的基础Understand the Trust Framework and federation management foundation

此信任框架是相关社区中的参与者必须遵守的标识、安全、隐私和数据保护策略的书面规范。The Trust Framework is a written specification of the identity, security, privacy, and data protection policies to which participants in a community of interest must conform.

联合标识为实现 Internet 规模的最终用户标识保证提供了基础。Federated identity provides a basis for achieving end-user identity assurance at Internet scale. 通过将标识管理委派给第三方,可对多个信赖方重复使用某个最终用户的单一数字标识。By delegating identity management to third parties, a single digital identity for an end user can be reused with multiple relying parties.

标识保证要求标识提供者 (Idp) 和属性提供者 (AtP) 遵守特定的安全、隐私和操作策略与做法。Identity assurance requires that identity providers (IdPs) and attribute providers (AtPs) adhere to specific security, privacy, and operational policies and practices. 如果无法执行直接检查,信赖方 (RP) 必须与它们合作的 Idp 和 AtP 发展信任关系。If they can't perform direct inspections, relying parties (RPs) must develop trust relationships with the IdPs and AtPs they choose to work with.

随着数字标识信息的使用者和提供者数目的增长,继续以成对的方式管理这些信任关系,甚至以成对的方式交换网络连接所需的技术元数据,将变得困难。As the number of consumers and providers of digital identity information grows, it's difficult to continue pairwise management of these trust relationships, or even the pairwise exchange of the technical metadata that's required for network connectivity. 联合中心在解决这些问题上只是获得了有限的成功。Federation hubs have achieved only limited success at solving these problems.

信任框架规范定义What a Trust Framework specification defines

TF 是开放标识交换 (OIX) 信任框架模型的关键,在这种模型中,每个相关社区都受到特定 TF 规范的监管。TFs are the linchpins of the Open Identity Exchange (OIX) Trust Framework model, where each community of interest is governed by a particular TF specification. 此类 TF 规范定义:Such a TF specification defines:

  • 相关社区的安全和隐私指标,其定义包括:The security and privacy metrics for the community of interest with the definition of:

    • 参与者提供/所需的保证级别 (LOA);例如,数字标识信息真实性的一组有序置信度评级。The levels of assurance (LOA) that are offered/required by participants; for example, an ordered set of confidence ratings for the authenticity of digital identity information.
    • 参与者提供/所需的保护级别 (LOP);例如,相关社区中参与者处理的数字标识信息受保护程度的一组有序置信度评级。The levels of protection (LOP) that are offered/required by participants; for example, an ordered set of confidence ratings for the protection of digital identity information that's handled by participants in the community of interest.
  • 参与者提供/所需的数字标识信息的说明The description of the digital identity information that's offered/required by participants.

  • 有关生成和使用数字标识信息的技术策略,因而这些策略也与度量 LOA 和 LOP 有关。这些书面策略通常包括以下策略类别:The technical policies for production and consumption of digital identity information, and thus for measuring LOA and LOP. These written policies typically include the following categories of policies:

    • 身份证明策略,例如:个人身份信息的审查强度如何?Identity proofing policies, for example: How strongly is a person’s identity information vetted?
    • 安全策略,例如:信息完整性和保密性的保护强度如何?Security policies, for example: How strongly are information integrity and confidentiality protected?
    • 隐私策略,例如:用户对个人身份信息 (PII) 拥有哪些控制权?Privacy policies, for example: What control does a user have over personal identifiable information (PII)?
    • 留存性策略,例如:当提供者停止操作时 PII 的持续性和保护如何?Survivability policies, for example: If a provider ceases operations, how does continuity and protection of PII function?
  • 有关生成和使用数字标识信息的技术配置文件。这些配置文件包括:The technical profiles for production and consumption of digital identity information. These profiles include:

    • 为根据指定 LOA 提供数字标识信息界定了接口范围。Scope interfaces for which digital identity information is available at a specified LOA.
    • 在线互操作性的技术要求。Technical requirements for on-the-wire interoperability.
  • 描述社区中的参与者可以履行的各种角色,以及履行这些角色所需的资格。The descriptions of the various roles that participants in the community can perform and the qualifications that are required to fulfill these roles.

因此,TF 规范控制了在相关社区的以下参与者之间交换标识信息的方式:信赖方、标识提供者、属性提供者和属性验证程序。Thus a TF specification governs how identity information is exchanged between the participants of the community of interest: relying parties, identity and attribute providers, and attribute verifiers.

TF 规范是用于相关社区治理的一个或多个参考文档,让相关社区调控社区中数字标识信息的断言和使用。A TF specification is one or multiple documents that serve as a reference for the governance of the community of interest that regulates the assertion and consumption of digital identity information within the community. 它是一组书面的策略和过程,目的是在相关社区的成员之间的、用于联机事务的数字标识中建立信任。It's a documented set of policies and procedures designed to establish trust in the digital identities that are used for online transactions between members of a community of interest.

也就是说,TF 规范定义有关为某个社区创建可行联合标识生态系统的规则。In other words, a TF specification defines the rules for creating a viable federated identity ecosystem for a community.

目前已针对此类做法带来的优势达成了广泛的共识。Currently there's widespread agreement on the benefit of such an approach. 毫无疑问,信任框架规范有助于营造具有可验证安全性、保证和隐私特征的数字标识生态系统,这意味着可跨多个相关社区重复使用。There's no doubt that trust framework specifications facilitate the development of digital identity ecosystems with verifiable security, assurance and privacy characteristics, meaning that they can be reused across multiple communities of interest.

出于此原因,使用标识体验框架的 Azure AD B2C 自定义策略利用此规范作为呈现其数据的基础,以便 TF 简化互操作性。For that reason, Azure AD B2C custom policies that use the Identity Experience Framework uses the specification as the basis of its data representation for a TF to facilitate interoperability.

利用标识体验框架的 Azure AD B2C 自定义策略以人工和计算机可读数据的组合形式来表示 TF 规范。Azure AD B2C Custom policies that leverage the Identity Experience Framework represent a TF specification as a mixture of human and machine-readable data. 此模型的某些部分(通常是更侧重于治理的部分)作为已发布的安全性和隐私策略文档以及相关过程(如果有的话)的参考进行介绍。Some sections of this model (typically sections that are more oriented toward governance) are represented as references to published security and privacy policy documentation along with the related procedures (if any). 其他部分详细介绍了配置元数据和运行时规则,这些规则有助于操作自动化。Other sections describe in detail the configuration metadata and runtime rules that facilitate operational automation.

了解信任框架策略Understand Trust Framework policies

在实现方面,TF 规范包含一组允许完全控制标识行为和体验的策略。In terms of implementation, the TF specification consists of a set of policies that allow complete control over identity behaviors and experiences. 利用标识体验框架的 Azure AD B2C 自定义策略可以让你通过此类可定义和配置的声明性策略编写和创建自己的 TF:Azure AD B2C custom policies that leverage the Identity Experience Framework enable you to author and create your own TF through such declarative policies that can define and configure:

  • 定义 TF 相关社区的联合标识生态系统的文档参考。The document reference or references that define the federated identity ecosystem of the community that relates to the TF. 这些参考是 TF 文档的链接。They are links to the TF documentation. (预定义的)“运行时”操作规则,或者用于自动化和/或控制声明交换与使用的用户旅程。The (predefined) operational “runtime” rules, or the user journeys that automate and/or control the exchange and usage of the claims. 这些用户旅程与 LOA(和 LOP)关联。These user journeys are associated with a LOA (and a LOP). 因此,策略可以包含具有不同 LOA(和 LOP)的用户旅程。A policy can therefore have user journeys with varying LOAs (and LOPs).

  • 相关社区中的标识提供者和属性提供者或声明提供程序、它们支持的技术配置文件,以及相关的(带外)LOA/LOP 认证。The identity and attribute providers, or the claims providers, in the community of interest and the technical profiles they support along with the (out-of-band) LOA/LOP accreditation that relates to them.

  • 与属性验证程序或声明提供程序的集成。The integration with attribute verifiers or claims providers.

  • 社区中的信赖方(根据推断)。The relying parties in the community (by inference).

  • 用于在参与者之间建立网络通信的元数据。The metadata for establishing network communications between participants. 在信赖方与其他社区参与者之间执行“在线”互操作性协调的事务过程中,将配合技术配置文件使用此元数据。This metadata, along with the technical profiles, are used during a transaction to plumb “on the wire” interoperability between the relying party and other community participants.

  • 任何协议转换(例如,SAML 2.0、OAuth2、WS-Federation 和 OpenID Connect)。The protocol conversion if any (for example, SAML 2.0, OAuth2, WS-Federation, and OpenID Connect).

  • 身份验证要求。The authentication requirements.

  • 多重协调(如果有)。The multifactor orchestration if any.

  • 所有可用声明的共享架构,以及与相关社区的参与者的映射。A shared schema for all the claims that are available and mappings to participants of a community of interest.

  • 用于维持声明交换和使用的所有声明转换以及此上下文中的可能数据最小化。All the claims transformations, along with the possible data minimization in this context, to sustain the exchange and usage of the claims.

  • 绑定和加密。The binding and encryption.

  • 声明存储。The claims storage.

了解声明Understand claims

备注

我们将所有可能类型的、可交换的标识信息统称为“声明”:有关最终用户身份验证凭据、标识审查、通信设备、物理位置、个人身份属性等的声明。We collectively refer to all the possible types of identity information that might be exchanged as "claims": claims about an end user’s authentication credential, identity vetting, communication device, physical location, personally identifying attributes, and so on.

我们使用术语“声明”而不是“属性”,这是因为在联机事务中,无法直接由信赖方验证这些数据项目。We use the term "claims"--rather than "attributes"--because in online transactions, these data artifacts are not facts that can be directly verified by the relying party. 而是有关事实的断言或声明,信赖方必须为其建立充分的置信度以授予最终用户所请求的事务。Rather they're assertions, or claims, about facts for which the relying party must develop sufficient confidence to grant the end user’s requested transaction.

使用术语“声明”的另一个原因在于,使用标识体验框架的 Azure AD B2C 自定义策略旨在以一致的方式简化所有类型的数字标识信息的交换,而不考虑是否为用户身份验证或属性检索定义了基本协议。We also use the term "claims" because Azure AD B2C custom policies that use the Identity Experience Framework are designed to simplify the exchange of all types of digital identity information in a consistent manner regardless of whether the underlying protocol is defined for user authentication or attribute retrieval. 同样,如果我们不想要区分标识提供者、属性提供者和属性验证程序的具体功能,我们会使用术语“声明提供程序”来统称这些参与者。Likewise, we use the term "claims providers" to collectively refer to identity providers, attribute providers, and attribute verifiers when we do not want to distinguish between their specific functions.

因此,声明提供程序控制了信赖方、标识提供者、属性提供者和属性验证程序之间的标识信息交换方式。Thus they govern how identity information is exchanged between a relying party, identity and attribute providers, and attribute verifiers. 它们控制了需要使用哪些标识提供者和属性提供者来完成信赖方的身份验证。They control which identity and attribute providers are required for a relying party’s authentication. 应该将它们视为域特定的语言 (DSL),即,包含继承、if 语句和多形性的特定应用程序域专用的计算机语言。They should be considered as a domain-specific language (DSL), that is, a computer language that's specialized for a particular application domain with inheritance, if statements, polymorphism.

这些策略构成利用标识体验框架的 Azure AD B2C 自定义策略中 TF 构造的计算机可读部分。These policies constitute the machine-readable portion of the TF construct in Azure AD B2C Custom policies leveraging the Identity Experience Framework. 它们包括所有操作详细信息,具体涵盖声明提供程序的元数据和技术配置文件、声明架构定义、声明转换函数以及填充的用户旅程,以便推动操作业务流程和自动化。They include all the operational details, including claims providers’ metadata and technical profiles, claims schema definitions, claims transformation functions, and user journeys that are filled in to facilitate operational orchestration and automation.

它们被假定为动态文档 ,因其内容很有可能随着时间的推移而发生变化,其中涉及策略中声明的活动参与者。They are assumed to be living documents because there is a good chance that their contents will change over time concerning the active participants declared in the policies. 此外,成为参与者的条款和条件也有可能会发生更改。There is also the potential that the terms and conditions for being a participant might change.

当不同的声明提供程序/验证程序加入或离开策略集(社区代表方)时,将信赖方与不断进行的信任和连接重新配置相区分可以大大简化联合的设置和维护。Federation setup and maintenance are vastly simplified by shielding relying parties from ongoing trust and connectivity reconfigurations as different claims providers/verifiers join or leave (the community represented by) the set of policies.

互操作性是另一个重大难题。Interoperability is another significant challenge. 必须集成其他的声明提供程序/验证程序,因为信赖方不太可能支持全部所需的协议。Additional claims providers/verifiers must be integrated, because relying parties are unlikely to support all the necessary protocols. Azure AD B2C 自定义策略支持行业标准协议,并可在信赖方和属性提供者不支持相同的协议时应用特定的用户旅程来转置请求,因此解决了此问题。Azure AD B2C custom policies solve this problem by supporting industry-standard protocols and by applying specific user journeys to transpose requests when relying parties and attribute providers do not support the same protocol.

用户旅程包含用于在信赖方与其他参与者之间协调“在线”互操作性的协议配置文件和元数据。User journeys include protocol profiles and metadata that are used to plumb “on the wire” interoperability between the relying party and other participants. 还会向标识信息交换请求/响应消息应用操作运行时规则,强制与 TF 规范中发布的策略相符。There are also operational runtime rules that are applied to identity information exchange request/response messages for enforcing compliance with published policies as part of the TF specification. 用户旅程的概念是自定义客户体验的关键所在。The idea of user journeys is key to the customization of the customer experience. 它还阐明了系统在协议级别的工作方式。It also sheds light on how the system works at the protocol level.

在此基础上,信赖方应用程序和门户可以根据其上下文,通过传递特定策略的名称来调用利用标识体验框架的 Azure AD B2C 自定义策略,并准确获取所需的行为和信息交换,而不会出现任何混乱或风险。On that basis, relying party applications and portals can, depending on their context, invoke Azure AD B2C custom policies that leverage the Identity Experience Framework passing the name of a specific policy and get precisely the behavior and information exchange they want without any muss, fuss, or risk.