Azure AD B2C 会话Azure AD B2C session

当用户在 Azure Active Directory B2C (Azure AD B2C) 中登录到应用程序时,单一登录 (SSO) 可以提高安全性和便利性。Single sign-on (SSO) adds security and convenience when users sign in across applications in Azure Active Directory B2C (Azure AD B2C). 本文介绍 Azure AD B2C 中使用的单一登录方法,并在配置策略时帮助你选择最适合的 SSO 方法。This article describes the single sign-on methods used in Azure AD B2C and helps you choose the most appropriate SSO method when configuring your policy.

借助单一登录,用户可以使用单个帐户登录一次,然后即可访问多个应用程序。With single sign-on, users sign in once with a single account and get access to multiple applications. 应用程序可以是 Web、移动或单页应用程序,不管它们的平台或域名如何。The application can be a web, mobile, or single page application, regardless of platform or domain name.

当用户最初登录到应用程序时,Azure AD B2C 会保留一个基于 Cookie 的会话。When the user initially signs in to an application, Azure AD B2C persists a cookie-based session. 收到后续的身份验证请求后,Azure AD B2C 会读取并验证该基于 Cookie 的会话,然后颁发访问令牌,且不提示用户重新登录。Upon subsequent authentication requests, Azure AD B2C reads and validates the cookie-based session, and issues an access token without prompting the user to sign in again. 如果基于 Cookie 的会话过期或失效,则系统会提示用户重新登录。If the cookie-based session expires or becomes invalid, the user is prompted to sign-in again.

SSO 会话类型SSO session types

与 Azure AD B2C 的集成涉及到三种类型的 SSO 会话:Integration with Azure AD B2C involves three types of SSO sessions:

  • Azure AD B2C - 由 Azure AD B2C 管理的会话Azure AD B2C - Session managed by Azure AD B2C
  • 联合标识提供者 - 由标识提供者管理的会话Federated identity provider - Session managed by the identity provider
  • 应用程序 - 由 Web、移动或单页应用程序管理的会话Application - Session managed by the web, mobile, or single page application

SSO 会话

Azure AD B2C SSOAzure AD B2C SSO

当用户使用本地帐户或社交帐户成功完成身份验证时,Azure AD B2C 会在用户的浏览器中存储一个基于 Cookie 的会话。When a user successfully authenticates with a local or social account, Azure AD B2C stores a cookie-based session on the user's browser. Cookie 存储在 Azure AD B2C 租户域名(例如 https://contoso.b2clogin.cn)下。The cookie is stored under the Azure AD B2C tenant domain name, such as https://contoso.b2clogin.cn.

如果用户最初使用联合帐户登录,然后在会话时间窗口(生存时间,简称 TTL)内登录到相同或不同的应用,则 Azure AD B2C 会尝试从联合标识提供者获取新的访问令牌。If a user initially signs in with a federated account, and then during the session time window (time-to-live, or TTL) signs in to the same app or a different app, Azure AD B2C tries to acquire a new access token from the federated identity provider. 如果联合标识提供者会话已过期或失效,则联合标识提供者会提示用户输入其凭据。If the federated identity provider session is expired or invalid, the federated identity provider prompts the user for their credentials. 如果会话仍处于活动状态(或者用户已使用本地帐户而不是联合帐户登录),则 Azure AD B2C 将为用户授权并消除进一步的提示。If the session is still active (or if the user has signed in with a local account instead of a federated account), Azure AD B2C authorizes the user and eliminates further prompts.

可以配置会话行为,包括会话 TTL,以及 Azure AD B2C 如何在策略和应用程序之间共享会话。You can configure the session behavior, including the session TTL and how Azure AD B2C shares the session across policies and applications.

联合标识提供者 SSOFederated identity provider SSO

社交或企业标识提供者需管理其自己的会话。A social or enterprise identity provider manages its own session. Cookie 存储在标识提供者的域名(例如 https://login.salesforce.com)下。The cookie is stored under the identity provider's domain name, such as https://login.salesforce.com. Azure AD B2C 不会控制联合标识提供者会话。Azure AD B2C doesn't control the federated identity provider session. 会话行为由联合标识提供者确定。Instead, session behavior is determined by the federated identity provider.

应用程序 SSOApplication SSO

可以通过 OAuth 访问、ID 令牌或 SAML 令牌来保护 Web、移动或单页应用程序。A web, mobile, or single page application can be protected by OAuth access, ID tokens, or SAML tokens. 当用户尝试访问应用中某个受保护的资源时,应用会检查应用程序端是否存在活动的会话。When a user tries to access a protected resource on the app, the app checks whether there is an active session on the application side. 如果不存在应用会话或者会话已过期,则应用会将用户转到 Azure AD B2C 登录页。If there is no app session or the session has expired, the app will take the user to Azure AD B2C to sign-in page.

应用程序会话可以是存储在应用程序域名(例如 https://contoso.com)下的基于 Cookie 的会话。The application session can be a cookie-based session stored under the application domain name, such as https://contoso.com. 移动应用程序可能会通过一种不同的方式(但使用类似的方法)存储会话。Mobile applications might store the session in a different way but using a similar approach.

Azure AD B2C 会话配置Azure AD B2C session configuration

会话范围Session scope

可为 Azure AD B2C 会话配置以下范围:The Azure AD B2C session can be configured with the following scopes:

  • 租户 - 这是默认设置。Tenant - This setting is the default. 使用此设置允许 B2C 租户中的多个应用和用户流共享相同的用户会话。Using this setting allows multiple applications and user flows in your B2C tenant to share the same user session. 例如,一旦用户登录到某个应用程序,就还可以在访问该应用程序时无缝登录到另一个应用程序。For example, once a user signs into an application, the user can also seamlessly sign into another one upon accessing it.
  • 应用程序 - 此设置允许为某个应用程序维持独占式用户会话(独立于其他应用程序)。Application - This setting allows you to maintain a user session exclusively for an application, independent of other applications. 例如,如果你希望无论用户是否已登录到 Contoso Groceries,他们都能够登录到 Contoso Pharmacy,则可以使用此设置。For example, you can use this setting if you want the user to sign in to Contoso Pharmacy regardless of whether the user is already signed into Contoso Groceries.
  • 策略 - 此设置为某个用户流维持独占式用户会话(独立于使用它的应用程序)。Policy - This setting allows you to maintain a user session exclusively for a user flow, independent of the applications using it. 例如,如果用户已登录并完成多重身份验证 (MFA) 步骤,那么只要绑定到用户流的会话未过期,该用户就可以访问多个应用程序的具有较高安全性的部分。For example, if the user has already signed in and completed a multi-factor authentication (MFA) step, the user can be given access to higher-security parts of multiple applications, as long as the session tied to the user flow doesn't expire.
  • 已禁用 - 此设置强制用户在每次执行策略时都要运行完整的用户流。Disabled - This setting forces the user to run through the entire user flow upon every execution of the policy.

会话生存时间Session life time

会话生存时间是指成功完成身份验证后,将 Azure AD B2C 会话 Cookie 存储在用户浏览器中的时间量。The session life time is the amount of time the Azure AD B2C session cookie is stored on the user's browser after successful authentication. 可将会话生存时间设置为 15 到 720 分钟的值。You can set the session life time to a value from 15 to 720 minutes.

使我保持登录状态Keep me signed-in

“使我保持登录状态”功能通过使用持续性 Cookie 来延长会话生存时间。The Keep me signed-in feature extends the session life time through the use of a persistent cookie. 在用户关闭并重新打开浏览器后,会话将保持活动状态。The session remains active after the user closes and reopens the browser. 仅当用户注销时,才会撤销会话。“使我保持登录状态”功能仅适用于使用本地帐户进行的登录。The session is revoked only when a user signs out. The Keep me signed-in feature only applies to sign-in with local accounts.

“使我保持登录状态”功能优先于会话生存时间的设置。The Keep me signed-in feature takes precedence over the session life time. 如果启用了“使我保持登录状态”功能,并且用户选择了此功能,则此功能将决定会话何时会过期。If the Keep me signed-in feature is enabled and the user selects it, this feature dictates when the session will expire.

会话过期类型Session expiry type

会话过期类型指示如何通过会话生存时间设置或“使我保持登录状态”设置来使会话延期。The session expiry type indicates how a session is extended by the session life time setting or the keep me signed-in setting.

  • 滚动 - 指示每当用户执行基于 Cookie 的身份验证时都延长会话(默认值)。Rolling - Indicates that the session is extended every time the user performs a cookie-based authentication (default).
  • 绝对 - 指示在指定的时间段后强制用户重新进行身份验证。Absolute - Indicates that the user is forced to re-authenticate after the time period specified.

注销Sign-out

如果想要从应用程序中注销用户,只是清除应用程序的 Cookie 或者结束与用户的会话是不够的。When you want to sign the user out of the application, it isn't enough to clear the application's cookies or otherwise end the session with the user. 必须将用户重定向到 Azure AD B2C 进行注销。否则,用户可能可以在应用程序中重新进行身份验证,且无需再次输入其凭据。You must redirect the user to Azure AD B2C to sign out. Otherwise, the user might be able to re-authenticate to your applications without entering their credentials again.

收到注销请求后,Azure AD B2C 将会:Upon a sign-out request, Azure AD B2C:

  1. 使 Azure AD B2C 基于 Cookie 的会话失效。Invalidates the Azure AD B2C cookie-based session.
  2. 尝试从联合标识提供者注销:Attempts to sign out from federated identity providers:
    • OpenId Connect - 如果标识提供者的已知配置终结点指定了 end_session_endpoint 位置。OpenId Connect - If the identity provider well-known configuration endpoint specifies an end_session_endpoint location.
    • SAML - 如果标识提供者元数据包含 SingleLogoutService 位置。SAML - If the identity provider metadata contains the SingleLogoutService location.
  3. 选择性地从其他应用程序注销。Optionally, signs-out from other applications. 有关详细信息,请参阅单一注销部分。For more information, see the Single sign-out section.

注销会清除用户在 Azure AD B2C 中的单一登录状态,但可能不会将用户从其社交标识提供者会话中注销。The sign-out clears the user's single sign-on state with Azure AD B2C, but it might not sign the user out of their social identity provider session. 如果用户在后续登录期间选择相同的标识提供者,那么他们可以重新进行身份验证,且无需输入其凭据。If the user selects the same identity provider during a subsequent sign-in, they might reauthenticate without entering their credentials. 如果用户想要注销应用程序,并不一定意味着他们想要注销其帐户。If a user wants to sign out of the application, it doesn't necessarily mean they want to sign out of their account. 但是,如果使用了本地帐户,则用户的会话将正常结束。However, if local accounts are used, the user's session ends properly.

单一登录Single sign-out

备注

此功能仅限于自定义策略This feature is limited to custom policies.

将用户重定向到 Azure AD B2C 注销终结点(适用于 OAuth2 和 SAML 协议)时,Azure AD B2C 将从浏览器中清除该用户的会话。When you redirect the user to the Azure AD B2C sign-out endpoint (for both OAuth2 and SAML protocols), Azure AD B2C clears the user's session from the browser. 但是,用户可能在其他使用 Azure AD B2C 进行身份验证的应用程序中仍处于已登录状态。However, the user might still be signed in to other applications that use Azure AD B2C for authentication. 要使这些应用程序能够同时注销用户,Azure AD B2C 会将 HTTP GET 请求发送到用户当前登录到的所有应用程序的已注册 LogoutUrlTo enable those applications to sign the user out simultaneously, Azure AD B2C sends an HTTP GET request to the registered LogoutUrl of all the applications that the user is currently signed in to.

应用程序必须通过清除任何标识用户的会话并返回 200 响应来响应此请求。Applications must respond to this request by clearing any session that identifies the user and returning a 200 response. 若要在应用程序中支持单一注销,必须在应用程序代码中实现 LogoutUrlIf you want to support single sign-out in your application, you must implement a LogoutUrl in your application's code.

后续步骤Next steps