在 Azure Active Directory B2C 中配置会话行为Configure session behavior in Azure Active Directory B2C

使用 Azure Active Directory B2C (Azure AD B2C) 中的单一登录 (SSO) 会话管理,管理员可在用户已通过身份验证之后控制与用户的交互。Single sign-on (SSO) session management in Azure Active Directory B2C (Azure AD B2C) enables an administrator to control interaction with a user after the user has already authenticated. 例如,管理员可以控制是否显示所选的标识提供者,或是否需要再次输入帐户详细信息。For example, the administrator can control whether the selection of identity providers is displayed, or whether account details need to be entered again. 本文介绍如何配置 Azure AD B2C SSO 的设置。This article describes how to configure the SSO settings for Azure AD B2C.

会话行为属性Session behavior properties

可使用以下属性来管理 Web 应用程序会话:You can use the following properties to manage web application sessions:

  • Web 应用会话生存期(分钟) - 身份验证成功后,存储在用户浏览器上的 Azure AD B2C 会话 Cookie 的生存期。Web app session lifetime (minutes) - The lifetime of Azure AD B2C's session cookie stored on the user's browser upon successful authentication.
    • 默认值 = 1440 分钟。Default = 1440 minutes.
    • 最小值(含)= 15 分钟。Minimum (inclusive) = 15 minutes.
    • 最大值(含)= 1440 分钟。Maximum (inclusive) = 1440 minutes.
  • Web 应用会话超时 - 会话过期类型:“滚动”或“绝对” 。Web app session timeout - The session expiry type, Rolling , or Absolute.
  • 单一登录配置 - Azure AD B2C 租户中跨多个应用和用户流的单一登录 (SSO) 行为的 会话范围Single sign-on configuration - The session scope of the single sign-on (SSO) behavior across multiple apps and user flows in your Azure AD B2C tenant.

配置属性Configure the properties

  1. 登录到 Azure 门户Sign in to the Azure portal.

  2. 请确保使用包含 Azure AD B2C 租户的目录,方法是选择顶部菜单中的“目录 + 订阅”筛选器,然后选择包含 Azure AD B2C 租户的目录。Make sure you're using the directory that contains your Azure AD B2C tenant by selecting the Directory + subscription filter in the top menu and choosing the directory that contains your Azure AD B2C tenant.

  3. 选择 Azure 门户左上角的“所有服务”,然后搜索并选择“Azure AD B2C” 。Choose All services in the top-left corner of the Azure portal, and then search for and select Azure AD B2C.

  4. 选择“用户流”。Select User flows.

  5. 打开之前创建的用户流。Open the user flow that you previously created.

  6. 选择“属性”。Select Properties.

  7. 根据需要配置 Web 应用会话生存期(分钟)Web 应用会话超时单一登录配置在注销请求中需要 ID 令牌Configure Web app session lifetime (minutes) , Web app session timeout , Single sign-on configuration , and Require ID Token in logout requests as needed.

    Azure 门户中的会话行为属性设置

  8. 单击“保存” 。Click Save.

配置注销行为Configure sign-out behavior

保护注销重定向Secure your logout redirect

注销后,用户将重定向到 post_logout_redirect_uri 参数中指定的 URI,而不管为应用程序指定的回复 URL 为何。After logout, the user is redirected to the URI specified in the post_logout_redirect_uri parameter, regardless of the reply URLs that have been specified for the application. 但是,如果传递了有效的 id_token_hint 并启用了“注销请求中需要 ID 令牌”,则在执行重定向之前,Azure AD B2C 将验证 post_logout_redirect_uri 的值是否与应用程序的某个已配置重定向 URI 相匹配。However, if a valid id_token_hint is passed and the Require ID Token in logout requests is turned on, Azure AD B2C verifies that the value of post_logout_redirect_uri matches one of the application's configured redirect URIs before performing the redirect. 如果没有为应用程序配置匹配的回复 URL,则会显示一条错误消息,而用户不会重定向。If no matching reply URL was configured for the application, an error message is displayed and the user is not redirected. 注销请求中需要 ID 令牌:To require a ID Token in logout requests:

  1. 登录到 Azure 门户Sign in to the Azure portal.
  2. 请确保使用包含 Azure AD B2C 租户的目录,方法是选择顶部菜单中的“目录 + 订阅”筛选器,然后选择包含 Azure AD B2C 租户的目录。Make sure you're using the directory that contains your Azure AD B2C tenant by selecting the Directory + subscription filter in the top menu and choosing the directory that contains your Azure AD B2C tenant.
  3. 选择 Azure 门户左上角的“所有服务”,然后搜索并选择“Azure AD B2C” 。Choose All services in the top-left corner of the Azure portal, and then search for and select Azure AD B2C.
  4. 选择“用户流”。Select User flows.
  5. 打开之前创建的用户流。Open the user flow that you previously created.
  6. 选择“属性”。Select Properties.
  7. 启用“注销请求中需要 ID 令牌”。Enable the Require ID Token in logout requests.
  8. 返回到“Azure AD B2C”。Go back to Azure AD B2C.
  9. 选择“应用注册”,然后选择自己的应用程序。Select App registrations , and then select your application.
  10. 选择“身份验证”。Select Authentication.
  11. 在“注销 URL”文本框中,键入注销后重定向 URI,然后选择“保存” 。In the Logout URL text box, type your post logout redirect URI, and then select Save.

后续步骤Next steps