在 Azure AD B2C 中注册 SAML 应用程序Register a SAML application in Azure AD B2C

本文介绍如何将安全断言标记语言 (SAML) 应用程序(服务提供程序)连接到 Azure Active Directory B2C (Azure AD B2C) 以进行身份验证。In this article, learn how to connect your Security Assertion Markup Language (SAML) applications (service providers) to Azure Active Directory B2C (Azure AD B2C) for authentication.

开始之前,请使用上面的选择器选择要配置的策略类型。Before you begin, use the selector above to choose the type of policy you’re configuring. Azure AD B2C 提供了两种定义用户如何与应用程序交互的方法:通过预定义的用户流,或者通过完全可配置的自定义策略Azure AD B2C offers two methods of defining how users interact with your applications: though predefined user flows, or through fully configurable custom policies. 对于每种方法,本文中所需的步骤都不同。The steps required in this article are different for each method.

此功能仅适用于自定义策略。This feature is available for custom policies only. 对于设置步骤,请选择上面的“自定义策略”。For setup steps, choose Custom policy above.

概述Overview

使用 Azure AD B2C 作为客户标识并访问管理解决方案的组织可能需要与使用 SAML 协议进行身份验证的应用程序集成。Organizations that use Azure AD B2C as their customer identity and access management solution might require integration with applications that authenticate using the SAML protocol. 下图显示了如何将 Azure AD B2C 用作标识提供者 (IdP),在基于 SAML 的应用程序中实现单一登录 (SSO)。The following diagram shows how Azure AD B2C serves as an identity provider (IdP) to achieve single-sign-on (SSO) with SAML-based applications.

该示意图的左侧显示 B2C 用作标识提供者,右侧显示 B2C 用作服务提供程序。

  1. 应用程序创建一个要发送到 Azure AD B2C SAML 登录终结点的 SAML AuthN 请求。The application creates a SAML AuthN Request that is sent to Azure AD B2C's SAML login endpoint.
  2. 用户可以使用 Azure AD B2C 本地帐户或任何其他联合标识提供者(如果已配置)进行身份验证。The user can use an Azure AD B2C local account or any other federated identity provider (if configured) to authenticate.
  3. 如果用户使用联合标识提供者登录,则会将令牌响应发送到 Azure AD B2C。If the user signs in using a federated identity provider, a token response is sent to Azure AD B2C.
  4. Azure AD B2C 生成 SAML 断言并将其发送到应用程序。Azure AD B2C generates a SAML assertion and sends it to the application.

先决条件Prerequisites

  • 完成 Azure AD B2C 中的自定义策略中的步骤。Complete the steps in Get started with custom policies in Azure AD B2C. 你需要本文讨论的自定义策略入门包中的 SocialAndLocalAccounts 自定义策略。You need the SocialAndLocalAccounts custom policy from the custom policy starter pack discussed in the article.
  • 基本了解 SAML 协议,并熟悉应用程序的 SAML 实现。Basic understanding of the SAML protocol and familiarity with the application's SAML implementation.
  • 一个已配置为 SAML 应用程序的应用程序。A web application configured as a SAML application. 对于本教程,你可以使用我们提供的 SAML 测试应用程序For this tutorial, you can use a SAML test application that we provide.

组件Components

此方案需要三个主要组件:There are three main components required for this scenario:

  • 一个 SAML 应用程序,它能够发送 SAML AuthN 请求,以及接收、解码和验证来自 Azure AD B2C 的 SAML 响应。A SAML application with the ability to send SAML AuthN requests and receive, decode, and verify SAML responses from Azure AD B2C. SAML 应用程序也称为信赖方应用程序或服务提供程序。The SAML application is also known as the relying party application or service provider.
  • SAML 应用程序的公开可用 SAML 元数据终结点或 XML 文档。The SAML application's publicly available SAML metadata endpoint or XML document.
  • 一个 Azure AD B2C 租户An Azure AD B2C tenant

如果你没有 SAML 应用程序和关联的元数据终结点,可以使用我们提供的用于测试的此示例 SAML 应用程序:If you don't yet have a SAML application and an associated metadata endpoint, you can use this sample SAML application that we've made available for testing:

SAML 测试应用程序SAML Test Application

设置证书Set up certificates

若要在应用程序和 Azure AD B2C 之间建立信任关系,这两个服务必须能够创建和验证彼此的签名。To build a trust relationship between your application and Azure AD B2C, both services must be able to create and validate each other's signatures. 在 Azure AD B2C 和应用程序中配置一个 X509 证书。You configure a configure X509 certificates in Azure AD B2C, and your application.

应用程序证书Application certificates

使用情况Usage 必须Required 说明Description
SAML 请求签名SAML request signing No 一个证书,其私钥存储在你的 Web 应用中。应用程序使用该证书对发送到 Azure AD B2C 的 SAML 请求进行签名。A certificate with a private key stored in your web app, used by your application to sign SAML requests sent to Azure AD B2C. Web 应用必须通过其 SAML 元数据终结点公开公钥。The web app must expose the public key through its SAML metadata endpoint. Azure AD B2C 使用应用程序元数据中的公钥来验证 SAML 请求签名。Azure AD B2C validates the SAML request signature by using the public key from the application metadata.
SAML 断言加密SAML assertion encryption No 一个证书,其私钥存储在你的 Web 应用中。A certificate with a private key stored in your web app. Web 应用必须通过其 SAML 元数据终结点公开公钥。The web app must expose the public key through its SAML metadata endpoint. Azure AD B2C 可以使用公钥在应用程序中加密断言。Azure AD B2C can encrypt assertions to your application using the public key. 应用程序使用私钥来解密断言。The application uses the private key to decrypt the assertion.

Azure AD B2C 证书Azure AD B2C certificates

使用情况Usage 必须Required 说明Description
SAML 响应签名SAML response signing Yes 一个证书,其私钥存储在 Azure AD B2C 中。A certificate with a private key stored in Azure AD B2C. Azure AD B2C 使用此证书对发送到应用程序的 SAML 响应进行签名。This certificate is used by Azure AD B2C to sign the SAML response sent to your application. 应用程序读取 Azure AD B2C 元数据公钥以验证 SAML 响应的签名。Your application reads the Azure AD B2C metadata public key to validate the signature of the SAML response.

在生产环境中,我们建议使用公共证书颁发机构颁发的证书。In a production environment, we recommend using certificates issued by a public certificate authority. 不过,你也可以使用自签名证书完成此过程。However, you can also complete this procedure with self-signed certificates.

准备 SAML 响应签名的自签名证书Prepare a self-signed certificate for SAML response signing

必须创建 SAML 响应签名证书,这样应用程序才可信任 Azure AD B2C 的断言。You must create a SAML response signing certificate so that your application can trust the assertion from Azure AD B2C.

如果你还没有证书,则可以使用自签名证书。If you don't already have a certificate, you can use a self-signed certificate. 自签名证书是未由证书颁发机构 (CA) 签名的安全性证书,不提供 CA 签名证书的安全性保证。A self-signed certificate is a security certificate that is not signed by a certificate authority (CA) and doesn't provide the security guarantees of a certificate signed by a CA.

在 Windows 上,使用 PowerShell 的 New-SelfSignedCertificate cmdlet 来生成证书。On Windows, use PowerShell's New-SelfSignedCertificate cmdlet to generate a certificate.

  1. 执行此 PowerShell 命令来生成自签名证书。Execute this PowerShell command to generate a self-signed certificate. 根据应用程序和 Azure AD B2C 租户名称修改 -Subject 参数。Modify the -Subject argument as appropriate for your application and Azure AD B2C tenant name. 还可调整 -NotAfter 日期,为证书指定不同的过期日期。You can also adjust the -NotAfter date to specify a different expiration for the certificate.

    New-SelfSignedCertificate `
        -KeyExportPolicy Exportable `
        -Subject "CN=yourappname.yourtenant.partner.onmschina.cn" `
        -KeyAlgorithm RSA `
        -KeyLength 2048 `
        -KeyUsage DigitalSignature `
        -NotAfter (Get-Date).AddMonths(12) `
        -CertStoreLocation "Cert:\CurrentUser\My"
    
  2. 打开“管理用户证书” > “当前用户” > “个人” > “证书” > “yourappname.yourtenant.partner.onmschina.cn” 。Open Manage user certificates > Current User > Personal > Certificates > yourappname.yourtenant.partner.onmschina.cn.

  3. 选择该证书,然后选择“操作” > “所有任务” > “导出” 。Select the certificate, and then select Action > All Tasks > Export.

  4. 选择“是” > “下一步” > “是,导出私钥” > “下一步” 。Select Yes > Next > Yes, export the private key > Next.

  5. 接受“导出文件格式”的默认值。Accept the defaults for Export File Format.

  6. 提供证书的密码。Provide a password for the certificate.

要使 Azure AD B2C 接受 .pfx 文件密码,密码必须通过 Windows 证书存储导出实用工具中的 TripleDES-SHA1 选项进行加密,这与 AES256-SHA256 相反。For Azure AD B2C to accept the .pfx file password, the password must be encrypted with the TripleDES-SHA1 option in Windows Certificate Store Export utility as opposed to AES256-SHA256.

启用策略以连接 SAML 应用程序Enable your policy to connect with a SAML application

若要连接到 SAML 应用程序,Azure AD B2C 必须能够创建 SAML 响应。To connect to your SAML application, Azure AD B2C must be able to create SAML responses.

打开自定义策略新手包中的 SocialAndLocalAccounts\TrustFrameworkExtensions.xmlOpen SocialAndLocalAccounts\TrustFrameworkExtensions.xml in the custom policy starter pack.

找到 <ClaimsProviders> 节,并添加以下 XML 代码片段来实现 SAML 响应生成器。Locate the <ClaimsProviders> section and add the following XML snippet to implement your SAML response generator.

<ClaimsProvider>
  <DisplayName>Token Issuer</DisplayName>
  <TechnicalProfiles>

    <!-- SAML Token Issuer technical profile -->
    <TechnicalProfile Id="Saml2AssertionIssuer">
      <DisplayName>Token Issuer</DisplayName>
      <Protocol Name="SAML2"/>
      <OutputTokenFormat>SAML2</OutputTokenFormat>
      <Metadata>
        <Item Key="IssuerUri">https://issuerUriMyAppExpects</Item>
      </Metadata>
      <CryptographicKeys>
        <Key Id="SamlAssertionSigning" StorageReferenceId="B2C_1A_SamlIdpCert"/>
      </CryptographicKeys>
      <InputClaims/>
      <OutputClaims/>
      <UseTechnicalProfileForSessionManagement ReferenceId="SM-Saml-issuer"/>
    </TechnicalProfile>

    <!-- Session management technical profile for SAML based tokens -->
    <TechnicalProfile Id="SM-Saml-issuer">
      <DisplayName>Session Management Provider</DisplayName>
      <Protocol Name="Proprietary" Handler="Web.TPEngine.SSO.SamlSSOSessionProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"/>
    </TechnicalProfile>

  </TechnicalProfiles>
</ClaimsProvider>

配置 SAML 响应的 IssuerUriConfigure the IssuerUri of the SAML response

可以在 SAML 令牌颁发者技术配置文件中更改 IssuerUri 元数据项的值。You can change the value of the IssuerUri metadata item in the SAML token issuer technical profile. 此项更改将反映在 Azure AD B2C 做出的 SAML 响应中返回的 issuerUri 特性内。This change will be reflected in the issuerUri attribute returned in the SAML response from Azure AD B2C. 应用程序应配置为在 SAML 响应验证期间接受相同的 issuerUriYour application should be configured to accept the same issuerUri during SAML response validation.

<ClaimsProvider>
  <DisplayName>Token Issuer</DisplayName>
  <TechnicalProfiles>
    <!-- SAML Token Issuer technical profile -->
    <TechnicalProfile Id="Saml2AssertionIssuer">
      <DisplayName>Token Issuer</DisplayName>
      <Protocol Name="SAML2"/>
      <OutputTokenFormat>SAML2</OutputTokenFormat>
      <Metadata>
        <Item Key="IssuerUri">https://issuerUriMyAppExpects</Item>
      </Metadata>
      ...
    </TechnicalProfile>

对 Azure AD B2C IdP SAML 元数据进行签名(可选)Sign the Azure AD B2C IdP SAML Metadata (optional)

你可以根据应用程序的要求,指示 Azure AD B2C 对其 SAML IdP 元数据文档进行签名。You can instruct Azure AD B2C to sign its SAML IdP metadata document, if required by the application. 要执行此操作,请生成并上传 SAML IdP 元数据签名策略密钥,如准备 SAML 响应签名的自签名证书中所述。To do so, generate and upload a SAML IdP metadata signing policy key as shown in Prepare a self-signed certificate for SAML response signing. 然后在 SAML 令牌颁发者技术配置文件中配置 MetadataSigning 元数据项。Then configure the MetadataSigning metadata item in the SAML token issuer technical profile. StorageReferenceId 必须引用策略密钥名称。The StorageReferenceId must reference the policy key name.

<ClaimsProvider>
  <DisplayName>Token Issuer</DisplayName>
  <TechnicalProfiles>
    <!-- SAML Token Issuer technical profile -->
    <TechnicalProfile Id="Saml2AssertionIssuer">
      <DisplayName>Token Issuer</DisplayName>
      <Protocol Name="SAML2"/>
      <OutputTokenFormat>SAML2</OutputTokenFormat>
        ...
      <CryptographicKeys>
        <Key Id="MetadataSigning" StorageReferenceId="B2C_1A_SamlMetadataCert"/>
        ...
      </CryptographicKeys>
    ...
    </TechnicalProfile>

对 Azure AD B2C IdP SAML 响应元素进行签名(可选)Sign the Azure AD B2C IdP SAML response element (optional)

可以指定用于对 SAML 消息进行签名的证书。You can specify a certificate to be used to sign the SAML messages. 消息是发送到应用程序的 SAML 响应中的 <samlp:Response> 元素。The message is the <samlp:Response> element within the SAML response sent to the application.

若要指定证书,请生成并上传策略密钥,如准备 SAML 响应签名的自签名证书中所述。To specify a certificate, generate and upload a policy key as shown in Prepare a self-signed certificate for SAML response signing. 然后在 SAML 令牌颁发者技术配置文件中配置 SamlMessageSigning 元数据项。Then configure the SamlMessageSigning Metadata item in the SAML Token Issuer technical profile. StorageReferenceId 必须引用策略密钥名称。The StorageReferenceId must reference the Policy Key name.

<ClaimsProvider>
  <DisplayName>Token Issuer</DisplayName>
  <TechnicalProfiles>
    <!-- SAML Token Issuer technical profile -->
    <TechnicalProfile Id="Saml2AssertionIssuer">
      <DisplayName>Token Issuer</DisplayName>
      <Protocol Name="SAML2"/>
      <OutputTokenFormat>SAML2</OutputTokenFormat>
        ...
      <CryptographicKeys>
        <Key Id="SamlMessageSigning" StorageReferenceId="B2C_1A_SamlMessageCert"/>
        ...
      </CryptographicKeys>
    ...
    </TechnicalProfile>

配置策略以发出 SAML 响应Configure your policy to issue a SAML Response

你的策略现在可以创建 SAML 响应,必须将策略配置为向应用程序发出 SAML 响应,而不是默认的 JWT 响应。Now that your policy can create SAML responses, you must configure the policy to issue a SAML response instead of the default JWT response to your application.

创建为 SAML 配置的注册或登录策略Create a sign-up or sign-in policy configured for SAML

  1. 在新手包工作目录中创建 SignUpOrSignin.xml 文件的副本,并使用新名称保存该副本。Create a copy of the SignUpOrSignin.xml file in your starter pack working directory and save it with a new name. 例如,SignUpOrSigninSAML.xml。For example, SignUpOrSigninSAML.xml. 此文件是信赖方策略文件,默认配置为发出 JWT 响应。This file is your relying party policy file, and it is configured to issue a JWT response by default.

  2. 在首选编辑器中打开“SignUpOrSigninSAML.xml”文件。Open the SignUpOrSigninSAML.xml file in your preferred editor.

  3. 如下所示,将策略的 PolicyIdPublicPolicyUri 更改为 B2C_1A_signup_signin_saml 和 http://<tenant-name>.partner.onmschina.cn/B2C_1A_signup_signin_samlChange the PolicyId and PublicPolicyUri of the policy to B2C_1A_signup_signin_saml and http://<tenant-name>.partner.onmschina.cn/B2C_1A_signup_signin_saml as seen below.

    <TrustFrameworkPolicy
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:xsd="http://www.w3.org/2001/XMLSchema"
    xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06"
    PolicySchemaVersion="0.3.0.0"
    TenantId="tenant-name.partner.onmschina.cn"
    PolicyId="B2C_1A_signup_signin_saml"
    PublicPolicyUri="http://<tenant-name>.partner.onmschina.cn/B2C_1A_signup_signin_saml">
    
  4. 用户旅程结束时,Azure AD B2C 将包含 SendClaims 步骤。At the end of the User Journey, Azure AD B2C contains a SendClaims step. 此步骤引用令牌颁发者技术配置文件。This step references the Token Issuer Technical Profile. 若要发出 SAML 响应而不是默认的 JWT 响应,请修改 SendClaims 步骤以引用新的 SAML 令牌颁发者技术配置文件 Saml2AssertionIssuerTo issue a SAML response rather than the default JWT response, modify the SendClaims step to reference the new SAML Token issuer technical profile, Saml2AssertionIssuer.

紧靠在 <RelyingParty> 元素的前面添加以下 XML 代码片段。Add the following XML snippet just before the <RelyingParty> element. 此 XML 将覆盖 SignUpOrSignIn 用户旅程中的业务流程步骤编号 7。This XML overwrites orchestration step number 7 in the SignUpOrSignIn user journey. 如果已从初学者包中的不同文件夹启动,或者通过添加或删除业务流程步骤自定义了用户旅程,请确保 order 元素中的编号对应于用户旅程中为令牌颁发者步骤指定的编号。If you started from a different folder in the starter pack or you customized the user journey by adding or removing orchestration steps, make sure the number in the order element corresponds to the number specified in the user journey for the token issuer step. 例如,在其他初学者包文件夹中,LocalAccountsSocialAccountsSocialAndLocalAccountsWithMfa 的对应步骤编号分别为 4、6、9。For example, in the other starter pack folders, the corresponding step number is 4 for LocalAccounts, 6 for SocialAccounts and 9 for SocialAndLocalAccountsWithMfa).

<UserJourneys>
  <UserJourney Id="SignUpOrSignIn">
    <OrchestrationSteps>
      <OrchestrationStep Order="7" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="Saml2AssertionIssuer"/>
    </OrchestrationSteps>
  </UserJourney>
</UserJourneys>

信赖方元素确定应用程序使用的协议。The relying party element determines which protocol your application uses. 默认为 OpenIdThe default is OpenId. 必须将 Protocol 元素更改为 SAMLThe Protocol element must be changed to SAML. 输出声明将创建声明到 SAML 断言的映射。The Output Claims will create the claims mapping to the SAML assertion.

<RelyingParty> 元素中的整个 <TechnicalProfile> 元素替换为以下技术配置文件 XML。Replace the entire <TechnicalProfile> element in the <RelyingParty> element with the following technical profile XML. tenant-name 更新为 Azure AD B2C 租户的名称。Update tenant-name with the name of your Azure AD B2C tenant.

    <TechnicalProfile Id="PolicyProfile">
      <DisplayName>PolicyProfile</DisplayName>
      <Protocol Name="SAML2"/>
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="displayName" />
        <OutputClaim ClaimTypeReferenceId="givenName" />
        <OutputClaim ClaimTypeReferenceId="surname" />
        <OutputClaim ClaimTypeReferenceId="email" DefaultValue="" />
        <OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="" />
        <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="objectId"/>
      </OutputClaims>
      <SubjectNamingInfo ClaimType="objectId" ExcludeAsClaim="true"/>
    </TechnicalProfile>

最终的信赖方策略文件应如下 XML 代码所示:Your final relying party policy file should look like the following XML code:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<TrustFrameworkPolicy
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xmlns:xsd="http://www.w3.org/2001/XMLSchema"
  xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06"
  PolicySchemaVersion="0.3.0.0"
  TenantId="contoso.partner.onmschina.cn"
  PolicyId="B2C_1A_signup_signin_saml"
  PublicPolicyUri="http://contoso.partner.onmschina.cn/B2C_1A_signup_signin_saml">

  <BasePolicy>
    <TenantId>contoso.partner.onmschina.cn</TenantId>
    <PolicyId>B2C_1A_TrustFrameworkExtensions</PolicyId>
  </BasePolicy>

  <UserJourneys>
    <UserJourney Id="SignUpOrSignIn">
      <OrchestrationSteps>
        <OrchestrationStep Order="7" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="Saml2AssertionIssuer"/>
      </OrchestrationSteps>
    </UserJourney>
  </UserJourneys>

  <RelyingParty>
    <DefaultUserJourney ReferenceId="SignUpOrSignIn" />
    <TechnicalProfile Id="PolicyProfile">
      <DisplayName>PolicyProfile</DisplayName>
      <Protocol Name="SAML2"/>
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="displayName" />
        <OutputClaim ClaimTypeReferenceId="givenName" />
        <OutputClaim ClaimTypeReferenceId="surname" />
        <OutputClaim ClaimTypeReferenceId="email" DefaultValue="" />
        <OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="" />
        <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="objectId"/>
      </OutputClaims>
      <SubjectNamingInfo ClaimType="objectId" ExcludeAsClaim="true"/>
    </TechnicalProfile>
  </RelyingParty>
</TrustFrameworkPolicy>

备注

可以遵循上述相同过程来实现其他类型的用户流(例如登录、密码重置或配置文件编辑流)。You can follow this same process to implement other types of user flows (for example sign-in, password reset, or profile editing flows).

上传策略Upload your policy

保存更改,并将新的 TrustFrameworkExtensions.xml 和 SignUpOrSigninSAML.xml 策略文件上传到 Azure 门户 。Save your changes and upload the new TrustFrameworkExtensions.xml and SignUpOrSigninSAML.xml policy files to the Azure portal.

测试 Azure AD B2C IdP SAML 元数据Test the Azure AD B2C IdP SAML Metadata

上传策略文件后,Azure AD B2C 将使用配置信息来生成应用程序使用的标识提供者 SAML 元数据文档。After the policy files are uploaded, Azure AD B2C uses the configuration information to generate the identity provider’s SAML metadata document to be used by the application. SAML 元数据文档包含服务的位置,例如登录和注销方法、证书等。The SAML metadata document contains the locations of services, such as sign-in and logout methods, certificates, and so on.

以下 URL 提供了 Azure AD B2C 策略元数据:The Azure AD B2C policy metadata is available at the following URL:

https://<tenant-name>.b2clogin.cn/<tenant-name>.partner.onmschina.cn/<policy-name>/samlp/metadata

请将 <tenant-name> 替换为你的 Azure AD B2C 租户名称,将 <policy-name> 替换为策略的名称 (ID),例如:Replace <tenant-name> with the name of your Azure AD B2C tenant and <policy-name> with the name (ID) of the policy, for example:

https://contoso.b2clogin.cn/contoso.partner.onmschina.cn/B2C_1A_signup_signin_saml/samlp/metadata

在 Azure AD B2C 中注册 SAML 应用程序Register your SAML application in Azure AD B2C

要使 Azure AD B2C 信任你的应用程序,你需要创建一个 Azure AD B2C 应用程序注册,其中包含应用程序的元数据终结点等配置信息。For Azure AD B2C to trust your application, you create an Azure AD B2C application registration, which contains configuration information such as the application's metadata endpoint.

  1. 登录到 Azure 门户Sign in to the Azure portal.
  2. 在顶部菜单中选择“目录 + 订阅”筛选器,然后选择包含Azure AD B2C 租户的目录。Select the Directory + subscription filter in the top menu, and then select the directory that contains your Azure AD B2C tenant.
  3. 在左侧菜单中,选择“Azure AD B2C”。In the left menu, select Azure AD B2C. 或者,选择“所有服务”并搜索并选择“Azure AD B2C”。Or, select All services and search for and select Azure AD B2C.
  4. 选择“应用注册”,然后选择“新建注册” 。Select App registrations, and then select New registration.
  5. 输入应用程序的“名称”。Enter a Name for the application. 例如,SAMLApp1。For example, SAMLApp1.
  6. 在“支持的帐户类型”下,选择“仅此组织目录中的帐户” 。Under Supported account types, select Accounts in this organizational directory only.
  7. 在“重定向 URI”下,选择“Web”,然后输入 https://localhostUnder Redirect URI, select Web, and then enter https://localhost. 稍后你将在应用程序注册的清单中修改此值。You'll modify this value later in the application registration's manifest.
  8. 选择“注册”。Select Register.

在 Azure AD B2C 中配置应用程序Configure your application in Azure AD B2C

对于 SAML 应用,需要在应用程序注册的清单中配置几个属性。For SAML apps, you'll need to configure several properties in the application registration's manifest.

  1. Azure 门户中,导航到在上一节中创建的应用程序注册。In the Azure portal, navigate to the application registration that you created in the previous section.
  2. 在“管理”下,选择“清单”打开清单编辑器,然后修改以下部分中所述的属性 。Under Manage, select Manifest to open the manifest editor, and then modify the properties described in the following sections.

添加标识符Add the identifier

当 SAML 应用程序向 Azure AD B2C 发出请求时,SAML AuthN 请求将包含一个 Issuer 特性,该特性的值通常与应用程序的元数据 entityID 相同。When your SAML application makes a request to Azure AD B2C, the SAML AuthN request includes an Issuer attribute, which is typically the same value as the application's metadata entityID. Azure AD B2C 使用此值在目录中查找应用程序注册并读取配置。Azure AD B2C uses this value to look up the application registration in the directory and read the configuration. 要使此查找操作成功,必须使用与 Issuer 特性匹配的值来填充应用程序注册中的 identifierUriFor this lookup to succeed, the identifierUri in the application registration must be populated with a value that matches the Issuer attribute.

在注册清单中,找到 identifierURIs 参数并添加适当的值。In the registration manifest, locate the identifierURIs parameter and add the appropriate value. 此值将与在应用程序的 SAML AuthN 请求中为 EntityId 配置的值以及应用程序元数据中的 entityID 值相同。This value will be same value that is configured in the SAML AuthN requests for EntityId at the application, and the entityID value in the application's metadata.

以下示例显示了 SAML 元数据中的 entityIDThe following example shows the entityID in the SAML metadata:

<EntityDescriptor ID="id123456789" entityID="https://samltestapp2.chinacloudsites.cn" validUntil="2099-12-31T23:59:59Z" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">

identifierUris 属性仅接受域 tenant-name.partner.onmschina.cn 上的 URL。The identifierUris property will only accept URLs on the domain tenant-name.partner.onmschina.cn.

"identifierUris":"https://samltestapp2.chinacloudsites.cn",

与 Azure AD B2C 共享应用程序的元数据Share the application's metadata with Azure AD B2C

在应用程序注册由其 identifierUri 加载后,Azure AD B2C 将使用应用程序的元数据来验证 SAML AuthN 请求,并确定如何做出响应。After the application registration has been loaded by its identifierUri, Azure AD B2C uses the application's metadata to validate the SAML AuthN request and determine how to respond.

建议让应用程序公开一个可公开访问的元数据终结点。It's recommended that your application exposes a publicly accessible metadata endpoint.

如果在 SAML 元数据 URL 和应用程序注册的清单中都指定了一些属性,则这些属性将合并。If there are properties specified in both the SAML metadata URL and the application registration's manifest, they are merged. 会优先处理元数据 URL 中指定的属性,其优先级更高。The properties specified in the metadata URL are processed first and take precedence.

以 SAML 测试应用程序为例,可以在应用程序清单中为 samlMetadataUrl 使用以下值:Using the SAML test application as an example, you'd use the following value for samlMetadataUrl in the application manifest:

"samlMetadataUrl":"https://samltestapp2.chinacloudsites.cn/Metadata",

替代或设置断言使用者 URL(可选)Override or set the assertion consumer URL (optional)

可以配置 Azure AD B2C 要向其发送 SAML 响应的回复 URL。You can configure the reply URL to which Azure AD B2C sends SAML responses. 可以在应用程序清单中配置回复 URL。Reply URLs can be configured within the application manifest. 当应用程序未公开一个可公开访问的元数据终结点时,此配置非常有用。This configuration is useful when your application doesn't expose a publicly accessible metadata endpoint.

SAML 应用程序的回复 URL 是应用程序预期在其上接收 SAML 响应的终结点。The reply URL for a SAML application is the endpoint at which the application expects to receive SAML responses. 应用程序通常在元数据文档中的 AssertionConsumerServiceUrl 特性下提供此 URL,如下所示:The application usually provides this URL in the metadata document under the AssertionConsumerServiceUrl attribute, as shown below:

<SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    ...
    <AssertionConsumerService index="0" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://samltestapp2.chinacloudsites.cn/SP/AssertionConsumer" />        
</SPSSODescriptor>

如果你要替代 AssertionConsumerServiceUrl 特性中提供的元数据,或者该 URL 不存在于元数据文档中,则你可以在清单中的 replyUrlsWithType 属性下配置 URL。If you want to override the metadata provided in the AssertionConsumerServiceUrl attribute or the URL isn't present in the metadata document, you can configure the URL in the manifest under the replyUrlsWithType property. BindingType 将设置为 HTTP POSTThe BindingType will be set to HTTP POST.

以 SAML 测试应用程序为例,可将 replyUrlsWithTypeurl 属性设置为以下 JSON 代码片段中显示的值。Using the SAML test application as an example, you'd set the url property of replyUrlsWithType to the value shown in the following JSON snippet.

"replyUrlsWithType":[
  {
    "url":"https://samltestapp2.chinacloudsites.cn/SP/AssertionConsumer",
    "type":"Web"
  }
],

替代或设置注销 URL(可选)Override or set the logout URL (optional)

可以配置 Azure AD B2C 在收到注销请求后要将用户定向到的注销 URL。You can configure the logout URL to which Azure AD B2C will send the user after a logout request. 可以在应用程序清单中配置回复 URL。Reply URLs can be configured within the Application Manifest.

如果你要替代 SingleLogoutService 特性中提供的元数据,或者该 URL 不存在于元数据文档中,则你可以在清单中的 Logout 属性下配置该 URL。If you want to override the metadata provided in the SingleLogoutService attribute or the URL isn't present in the metadata document, you can configure it in the manifest under the Logout property. BindingType 将设置为 Http-RedirectThe BindingType will be set to Http-Redirect.

应用程序通常在元数据文档中的 AssertionConsumerServiceUrl 特性下提供此 URL,如下所示:The application usually provides this URL in the metadata document under the AssertionConsumerServiceUrl attribute, as shown below:

<IDPSSODescriptor WantAuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://samltestapp2.chinacloudsites.cn/logout" ResponseLocation="https://samltestapp2.chinacloudsites.cn/logout" />

</IDPSSODescriptor>

以 SAML 测试应用程序为例,可将 logoutUrl 保持设置为 https://samltestapp2.chinacloudsites.cn/logoutUsing the SAML test application as an example, you'd, leave logoutUrl set to https://samltestapp2.chinacloudsites.cn/logout:

"logoutUrl": "https://samltestapp2.chinacloudsites.cn/logout",

备注

如果你选择在应用程序清单中配置回复 URL 和注销 URL,而不通过 samlMetadataUrl 属性填充应用程序的元数据终结点,则 Azure AD B2C 将不会验证 SAML 请求签名,也不会加密 SAML 响应。If you choose to configure the reply URL and logout URL in the application manifest without populating the application's metadata endpoint via the samlMetadataUrl property, Azure AD B2C will not validate the SAML request signature, nor will it encrypt the SAML response.

在 SAML 应用程序中将 Azure AD B2C 配置为 SAML IdPConfigure Azure AD B2C as a SAML IdP in your SAML application

最后一步是在 SAML 应用程序中将 Azure AD B2C 启用为 SAML IdP。The last step is to enable Azure AD B2C as a SAML IdP in your SAML application. 应用程序各不相同,因此步骤也不相同。Each application is different and the steps vary. 有关详细信息,请参阅应用的文档。Consult your app's documentation for details.

可以在应用程序中将元数据配置为静态元数据或动态元数据 。The metadata can be configured in your application as static metadata or dynamic metadata. 在静态模式下,复制 Azure AD B2C 策略元数据中的所有或一部分元数据。In static mode, copy all or part of the metadata from the Azure AD B2C policy metadata. 在动态模式下,提供元数据的 URL 并允许应用程序动态读取元数据。In dynamic mode, provide the URL to the metadata and to allow your application to read the metadata dynamically.

通常需要以下部分或全部内容:Some or all the following are typically required:

  • 元数据:使用格式 https://<tenant-name>.b2clogin.cn/<tenant-name>.partner.onmschina.cn/<policy-name>/Samlp/metadataMetadata: Use the format https://<tenant-name>.b2clogin.cn/<tenant-name>.partner.onmschina.cn/<policy-name>/Samlp/metadata.

  • 证书颁发者:SAML 请求 issuer 值必须与在应用程序注册清单的 identifierUris 元素中配置的 URI 之一匹配。Issuer: The SAML request issuer value must match one of the URIs configured in the identifierUris element of the application registration manifest. 如果 SAML 请求 issuer 名称不存在于 identifierUris 元素中,请将其添加到应用程序注册清单中If the SAML request issuer name doesn't exist in the identifierUris element, add it to the application registration manifest. 例如,https://contoso.partner.onmschina.cn/app-nameFor example, https://contoso.partner.onmschina.cn/app-name.

  • 登录 URL/SAML 终结点/SAML URL:检查 Azure AD B2C SAML 策略元数据文件中 <SingleSignOnService> XML 元素的值。Login Url/SAML endpoint/SAML Url: Check the value in the Azure AD B2C SAML policy metadata file for the <SingleSignOnService> XML element.

  • 证书:此证书为 B2C_1A_SamlIdpCert,但不包含私钥。Certificate: This certificate is B2C_1A_SamlIdpCert, but without the private key. 若要获取证书的公钥:To get the public key of the certificate:

    1. 请转到上面指定的元数据 URL。Go to the metadata URL specified above.
    2. 复制 <X509Certificate> 元素中的值。Copy the value in the <X509Certificate> element.
    3. 将其粘贴到文本文件中。Paste it into a text file.
    4. 将该文本文件另存为 .cer 文件。Save the text file as a .cer file.

使用 SAML 测试应用进行测试Test with the SAML test app

可以使用我们的 SAML 测试应用程序来测试你的配置:You can use our SAML Test Application to test your configuration:

  • 更新租户名称。Update the tenant name.
  • 更新策略名称,例如 B2C_1A_signup_signin_saml。Update the policy name, for example B2C_1A_signup_signin_saml.
  • 指定此颁发者 URI。Specify this issuer URI. 使用在应用程序注册清单的 identifierUris 元素中找到的 URI 之一,例如 https://contoso.partner.onmschina.cn/app-nameUse one of the URIs found in the identifierUris element in the application registration manifest, for example https://contoso.partner.onmschina.cn/app-name.

选择“登录”,然后会显示用户登录屏幕。Select Login and you should be presented with a user sign-in screen. 登录后,SAML 响应将发回到示例应用程序。Upon sign-in, a SAML response is issued back to the sample application.

受支持的和不支持的 SAML 形式Supported and unsupported SAML modalities

可通过你自己的元数据终结点支持以下 SAML 应用程序方案:The following SAML application scenarios are supported via your own metadata endpoint:

  • 应用程序/服务主体对象中的多个注销 URL 或注销 URL 的 POST 绑定。Multiple logout URLs or POST binding for logout URL in the application/service principal object.
  • 指定签名密钥,以验证应用程序/服务主体对象中的信赖方 (RP) 请求。Specify a signing key to verify relying party (RP) requests in the application/service principal object.
  • 在应用程序/服务主体对象中指定令牌加密密钥。Specify a token encryption key in the application/service principal object.
  • 标识提供者发起的登录,其中的标识提供者是 Azure AD B2C。Identity provider-initiated sign-on, where the identity provider is Azure AD B2C.

后续步骤Next steps