在 Azure Active Directory B2C 中设置登录特定 Azure Active Directory 组织Set up sign-in for a specific Azure Active Directory organization in Azure Active Directory B2C

若要将 Azure Active Directory (Azure AD) 用作 Azure AD B2C 中的标识提供者,需要创建一个表示它的应用程序。To use an Azure Active Directory (Azure AD) as an identity provider in Azure AD B2C, you need to create an application that represents it. 本文介绍如何使用 Azure AD B2C 中的用户流为特定 Azure AD 组织中的用户启用登录。This article shows you how to enable sign-in for users from a specific Azure AD organization using a user flow in Azure AD B2C.

注册 Azure AD 应用Register an Azure AD app

若要让用户从特定的 Azure AD 组织登录,需要在组织 Azure AD 租户中注册一个应用程序。To enable sign-in for users from a specific Azure AD organization, you need to register an application within the organizational Azure AD tenant.

  1. 登录到 Azure 门户Sign in to the Azure portal.

  2. 请确保使用的是包含组织 Azure AD 租户的目录(例如,contoso.com)。Make sure you're using the directory that contains your organizational Azure AD tenant (for example, contoso.com). 选择顶部菜单中的“目录 + 订阅”筛选器,然后选择包含 Azure AD 租户的目录。Select the Directory + subscription filter in the top menu, and then choose the directory that contains your Azure AD tenant.

  3. 选择 Azure 门户左上角的“所有服务”,然后搜索并选择“应用注册” 。Choose All services in the top-left corner of the Azure portal, and then search for and select App registrations.

  4. 选择“新注册”。Select New registration.

  5. 输入应用程序的名称Enter a Name for your application. 例如,Azure AD B2C AppFor example, Azure AD B2C App.

  6. 对于此应用程序,接受默认选择“仅此组织目录中的帐户”。Accept the default selection of Accounts in this organizational directory only for this application.

  7. 对于“重定向 URI”,接受值 Web,并以全小写字母输入以下 URL,其中 your-B2C-tenant-name 将替换为 Azure AD B2C 租户的名称。For the Redirect URI, accept the value of Web, and enter the following URL in all lowercase letters, where your-B2C-tenant-name is replaced with the name of your Azure AD B2C tenant.

    https://your-B2C-tenant-name.b2clogin.cn/your-B2C-tenant-name.partner.onmschina.cn/oauth2/authresp
    

    例如,https://fabrikam.b2clogin.cn/fabrikam.partner.onmschina.cn/oauth2/authrespFor example, https://fabrikam.b2clogin.cn/fabrikam.partner.onmschina.cn/oauth2/authresp.

  8. 选择“注册”。Select Register. 记录“应用程序(客户端) ID”,以便在后续步骤中使用。Record the Application (client) ID for use in a later step.

  9. 依次选择“证书和机密”、“新建客户端机密”。 Select Certificates & secrets, and then select New client secret.

  10. 为机密输入说明,选择到期时间,然后选择“添加”。Enter a Description for the secret, select an expiration, and then select Add. 记录机密的值,以便在后续步骤中使用。Record the Value of the secret for use in a later step.

配置可选声明Configuring optional claims

如果要从 Azure AD 获取 family_namegiven_name 声明,可以在 Azure 门户 UI 或应用程序清单中为应用程序配置可选声明。If you want to get the family_name and given_name claims from Azure AD, you can configure optional claims for your application in the Azure portal UI or application manifest. 有关详细信息,请参阅如何向 Azure AD 应用提供可选声明For more information, see How to provide optional claims to your Azure AD app.

  1. 登录到 Azure 门户Sign in to the Azure portal. 搜索并选择“Azure Active Directory”。Search for and select Azure Active Directory.
  2. 在“管理”部分,选择“应用注册”。 From the Manage section, select App registrations.
  3. 在列表中选择要为其配置可选声明的应用程序。Select the application you want to configure optional claims for in the list.
  4. 在“管理”部分中,选择“令牌配置”。 From the Manage section, select Token configuration.
  5. 选择“添加可选声明”。Select Add optional claim.
  6. 对于“令牌类型”,选择“ID”。For the Token type, select ID.
  7. 选择要添加的可选声明:family_namegiven_nameSelect the optional claims to add, family_name and given_name.
  8. 单击“添加” 。Click Add.

将 Azure AD 配置为标识提供者Configure Azure AD as an identity provider

  1. 请确保使用的是包含 Azure AD B2C 租户的目录。Make sure you're using the directory that contains Azure AD B2C tenant. 选择顶部菜单中的“目录 + 订阅”筛选器,然后选择包含 Azure AD B2C 租户的目录。Select the Directory + subscription filter in the top menu and choose the directory that contains your Azure AD B2C tenant.

  2. 选择 Azure 门户左上角的“所有服务”,然后搜索并选择“Azure AD B2C” 。Choose All services in the top-left corner of the Azure portal, and then search for and select Azure AD B2C.

  3. 选择“标识提供者”,然后选择“新建 OpenID Connect 提供程序”。Select Identity providers, and then select New OpenID Connect provider.

  4. 输入“名称”。Enter a Name. 例如,输入“Contoso Azure AD”。For example, enter Contoso Azure AD.

  5. 对于“元数据 URL”,请输入以下 URL,将 {tenant} 替换为 Azure AD 租户的域名:For Metadata url, enter the following URL replacing {tenant} with the domain name of your Azure AD tenant:

    https://login.partner.microsoftonline.cn/{tenant}/v2.0/.well-known/openid-configuration
    

    例如,https://login.partner.microsoftonline.cn/contoso.partner.onmschina.cn/v2.0/.well-known/openid-configurationFor example, https://login.partner.microsoftonline.cn/contoso.partner.onmschina.cn/v2.0/.well-known/openid-configuration. 例如,https://login.partner.microsoftonline.cn/contoso.com/v2.0/.well-known/openid-configurationFor example, https://login.partner.microsoftonline.cn/contoso.com/v2.0/.well-known/openid-configuration.

  6. 对于“客户端 ID”,输入之前记录的应用程序 ID。For Client ID, enter the application ID that you previously recorded.

  7. 对于“客户端机密”,请输入之前记录的客户端机密。For Client secret, enter the client secret that you previously recorded.

  8. 对于“范围”,请输入 openid profileFor the Scope, enter the openid profile.

  9. 对于“响应类型”和“响应模式” ,请保留默认值。Leave the default values for Response type, and Response mode.

  10. (可选)对于“域提示”,请输入 contoso.com(Optional) For the Domain hint, enter contoso.com. 有关详细信息,请参阅使用 Azure Active Directory B2C 设置直接登录For more information, see Set up direct sign-in using Azure Active Directory B2C.

  11. 在“标识提供者声明映射”下,选择以下声明:Under Identity provider claims mapping, select the following claims:

    • 用户 IDoidUser ID: oid
    • 显示名称:nameDisplay name: name
    • 给定名称:given_nameGiven name: given_name
    • 姓氏:family_nameSurname: family_name
    • 电子邮件:unique_nameEmail: unique_name
  12. 选择“保存”。Select Save.