适用于 Apple 设备的 Microsoft 企业 SSO 插件(预览版)Microsoft Enterprise SSO plug-in for Apple devices (preview)

重要

此功能 以公共预览版提供。is in public preview. 此预览版在提供时未附带服务级别协议,建议不要用于生产工作负载。This preview is provided without a service-level agreement and isn't recommended for production workloads. 某些功能可能不受支持或者受限。Some features might be unsupported or have constrained capabilities. 有关详细信息,请参阅适用于 Azure 预览版的补充使用条款For more information, see Supplemental terms of use for Azure previews.This feature 以公共预览版提供。is in public preview. 此预览版在提供时未附带服务级别协议,建议不要用于生产工作负载。This preview is provided without a service-level agreement and isn't recommended for production workloads. 某些功能可能不受支持或者受限。Some features might be unsupported or have constrained capabilities. 有关详细信息,请参阅适用于 Azure 预览版的补充使用条款For more information, see Supplemental terms of use for Azure previews.

借助适用于 Apple 设备的 Microsoft 企业 SSO 插件,macOS、iOS 和 iPadOS 上的 Azure Active Directory (Azure AD) 帐户可在支持 Apple 企业单一登录功能的所有应用程序上进行单一登录 (SSO)。The Microsoft Enterprise SSO plug-in for Apple devices provides single sign-on (SSO) for Azure Active Directory (Azure AD) accounts on macOS, iOS, and iPadOS across all applications that support Apple's enterprise single sign-on feature. 该插件可为你的企业可能依赖但尚未支持最新标识库或协议的较旧应用程序提供 SSO。The plug-in provides SSO for even old applications that your business might depend on but that don't yet support the latest identity libraries or protocols. 此插件是在 Microsoft 与 Apple 的密切合作下开发的,可以提高应用程序的可用性,同时提供可用的最佳保护。Microsoft worked closely with Apple to develop this plug-in to increase your application's usability while providing the best protection available.

企业 SSO 插件目前是下列应用中的内置功能:The Enterprise SSO plug-in is currently a built-in feature of the following apps:

  • Microsoft Authenticator:iOS、iPadOSMicrosoft Authenticator: iOS, iPadOS
  • Microsoft Intune 公司门户macOSMicrosoft Intune Company Portal: macOS

功能Features

适用于 Apple 设备的 Microsoft 企业 SSO 插件具有以下优势:The Microsoft Enterprise SSO plug-in for Apple devices offers the following benefits:

  • 为支持 Apple 企业 SSO 功能的所有应用程序中的 Azure AD 帐户提供 SSO。It provides SSO for Azure AD accounts across all applications that support the Apple Enterprise SSO feature.
  • 可由任何移动设备管理 (MDM) 解决方案启用。It can be enabled by any mobile device management (MDM) solution.
  • 将 SSO 扩展到尚未使用 Microsoft 标识平台库的应用程序。It extends SSO to applications that don't yet use Microsoft identity platform libraries.
  • 将 SSO 扩展到使用 OAuth 2、OpenID Connect 和 SAML 的应用程序。It extends SSO to applications that use OAuth 2, OpenID Connect, and SAML.

要求Requirements

若要使用适用于 Apple 设备的 Microsoft 企业 SSO 插件:To use the Microsoft Enterprise SSO plug-in for Apple devices:

  • 设备必须支持且已安装具有适用于 Apple 设备的 Microsoft 企业 SSO 插件的应用:The device must support and have an installed app that has the Microsoft Enterprise SSO plug-in for Apple devices:
    • iOS 13.0 及更高版本:Microsoft Authenticator 应用iOS 13.0 and later: Microsoft Authenticator app
    • iPadOS 13.0 及更高版本:Microsoft Authenticator 应用iPadOS 13.0 and later: Microsoft Authenticator app
    • macOS 10.15 及更高版本:Intune 公司门户应用macOS 10.15 and later: Intune Company Portal app
  • 设备必须在 MDM 中注册,例如通过 Microsoft Intune。The device must be enrolled in MDM, for example, through Microsoft Intune.
  • 必须将配置推送到设备,以启用企业 SSO 插件。Configuration must be pushed to the device to enable the Enterprise SSO plug-in. Apple 需要此安全约束。Apple requires this security constraint.

iOS 要求:iOS requirements:

  • 必须在设备上安装 iOS 13.0 或更高版本。iOS 13.0 or higher must be installed on the device.
  • 必须在设备上安装提供适用于 Apple 设备的 Microsoft 企业 SSO 插件的 Microsoft 应用程序。A Microsoft application that provides the Microsoft Enterprise SSO plug-in for Apple devices must be installed on the device. 对于公共预览版,这些应用程序是 Microsoft Authenticator 应用。For Public Preview, these applications are the Microsoft Authenticator app.

macOS 要求:macOS requirements:

  • 必须在设备上安装 macOS 10.15 或更高版本。macOS 10.15 or higher must be installed on the device.
  • 必须在设备上安装提供适用于 Apple 设备的 Microsoft 企业 SSO 插件的 Microsoft 应用程序。A Microsoft application that provides the Microsoft Enterprise SSO plug-in for Apple devices must be installed on the device. 对于公共预览版,这些应用程序包括 Intune 公司门户应用For Public Preview, these applications include the Intune Company Portal app.

启用 SSO 插件Enable the SSO plug-in

使用以下信息可通过 MDM 启用 SSO 插件。Use the following information to enable the SSO plug-in by using MDM.

Microsoft Intune 配置Microsoft Intune configuration

如果使用 Microsoft Intune 作为 MDM 服务,则可使用内置配置文件设置来启用 Microsoft 企业 SSO 插件:If you use Microsoft Intune as your MDM service, you can use built-in configuration profile settings to enable the Microsoft Enterprise SSO plug-in:

  1. 对配置文件的 SSO 应用扩展设置进行配置。Configure the SSO app extension settings of a configuration profile.
  2. 如果尚未分配配置文件,请将配置文件分配给用户或设备组If the profile isn't already assigned, assign the profile to a user or device group.

当每台设备下次向 Intune 签入,启用 SSO 插件的配置文件设置会自动应用于组的设备。The profile settings that enable the SSO plug-in are automatically applied to the group's devices the next time each device checks in with Intune.

其他 MDM 服务的手动配置Manual configuration for other MDM services

如果未将 Intune 用于 MDM,请使用以下参数配置适用于 Apple 设备的 Microsoft 企业 SSO 插件。If you don't use Intune for MDM, use the following parameters to configure the Microsoft Enterprise SSO plug-in for Apple devices.

iOS 设置:iOS settings:

  • 扩展 IDcom.microsoft.azureauthenticator.ssoextensionExtension ID: com.microsoft.azureauthenticator.ssoextension
  • 团队 ID:iOS 不需要此字段。Team ID: This field isn't needed for iOS.

macOS 设置:macOS settings:

  • 扩展 IDcom.microsoft.CompanyPortalMac.ssoextensionExtension ID: com.microsoft.CompanyPortalMac.ssoextension
  • 团队 IDUBF8T346G9Team ID: UBF8T346G9

通用设置:Common settings:

  • 类型:重定向Type: Redirect
    • https://login.partner.microsoftonline.cn
    • https://login.chinacloudapi.cn

更多配置选项More configuration options

可以添加更多配置选项,将 SSO 功能扩展到其他应用。You can add more configuration options to extend SSO functionality to other apps.

为不使用 Microsoft 标识平台库的应用启用 SSOEnable SSO for apps that don't use a Microsoft identity platform library

借助 SSO 插件,任何应用程序都可以加入 SSO,即使它们不是使用 Microsoft SDK(例如 Microsoft 身份验证库 (MSAL))开发的也可以。The SSO plug-in allows any application to participate in SSO even if it wasn't developed by using a Microsoft SDK like Microsoft Authentication Library (MSAL).

具有以下特征的设备会自动安装 SSO 插件:The SSO plug-in is installed automatically by devices that have:

  • 已在 iOS 或 iPadOS 上下载 Authenticator 应用,或已在 macOS 上下载 Intune 公司门户应用。Downloaded the Authenticator app on iOS or iPadOS, or downloaded the Intune Company Portal app on macOS.
  • 将设备注册到组织。Registered their device with your organization.

你的组织可能会在以下方案中使用 Authenticator 应用:例如多重身份验证 (MFA)、无密码身份验证和条件访问。Your organization likely uses the Authenticator app for scenarios like multifactor authentication (MFA), passwordless authentication, and conditional access. 使用 MDM 提供程序可以为应用程序启用 SSO 插件。By using an MDM provider, you can turn on the SSO plug-in for your applications. Microsoft 使你可以在 Intune 的 Microsoft Endpoint Manager 内轻松配置插件。Microsoft has made it easy to configure the plug-in inside the Microsoft Endpoint Manager in Intune. 允许列表用于配置这些应用程序来使用 SSO 插件。An allowlist is used to configure these applications to use the SSO plug-in.

重要

Microsoft 企业 SSO 插件仅支持使用本机 Apple 网络技术或 Web 视图的应用。The Microsoft Enterprise SSO plug-in supports only apps that use native Apple network technologies or webviews. 它不支持提供自己的网络层实现的应用程序。It doesn't support applications that ship their own network layer implementation.

采用以下参数为不使用 Microsoft 标识平台库的应用配置 Microsoft 企业 SSO 插件。Use the following parameters to configure the Microsoft Enterprise SSO plug-in for apps that don't use a Microsoft identity platform library.

若要提供特定应用列表,请使用以下参数:To provide a list of specific apps, use these parameters:

  • 键:AppAllowListKey: AppAllowList
  • 类型:StringType: String
  • 值:允许加入 SSO 的应用程序的应用程序捆绑包 ID 的逗号分隔列表。Value: Comma-delimited list of application bundle IDs for the applications that are allowed to participate in SSO.
  • 示例com.contoso.workapp, com.contoso.travelappExample: com.contoso.workapp, com.contoso.travelapp

若要提供前缀列表,请使用以下参数:To provide a list of prefixes, use these parameters:

  • 键:AppPrefixAllowListKey: AppPrefixAllowList
  • 类型:StringType: String
  • 值:允许加入 SSO 的应用程序的应用程序包 ID 前缀的逗号分隔列表。Value: Comma-delimited list of application bundle ID prefixes for the applications that are allowed to participate in SSO. 此参数会使所有以特定前缀开头的应用都可加入 SSO。This parameter allows all apps that start with a particular prefix to participate in SSO.
  • 示例com.contoso., com.fabrikam.Example: com.contoso., com.fabrikam.

MDM 管理员允许同意的应用加入 SSO,从而可以通过无提示的方式为最终用户获取令牌。Consented apps that the MDM admin allows to participate in SSO can silently get a token for the end user. 因此,仅将受信任的应用程序添加到允许列表。So add only trusted applications to the allowlist.

备注

无需将使用 MSAL 或 ASWebAuthenticationSession 的应用程序添加到可加入 SSO 的应用列表。You don't need to add applications that use MSAL or ASWebAuthenticationSession to the list of apps that can participate in SSO. 这些应用程序默认处于启用状态。Those applications are enabled by default.

在 iOS 设备上查找应用程序包标识符Find app bundle identifiers on iOS devices

Apple 不提供从 App Store 获取应用程序包 ID 的简单方法。Apple provides no easy way to get bundle IDs from the App Store. 要获取要用于 SSO 的应用的应用程序包 ID,最简单的方法是询问供应商或应用开发人员。The easiest way to get the bundle IDs of the apps you want to use for SSO is to ask your vendor or app developer. 如果该选项不可用,那么可使用 MDM 配置来查找应用程序包 ID:If that option isn't available, you can use your MDM configuration to find the bundle IDs:

  1. 在 MDM 配置中暂时启用以下标志:Temporarily enable the following flag in your MDM configuration:

    • 键:admin_debug_mode_enabledKey: admin_debug_mode_enabled
    • 类型:IntegerType: Integer
    • :1 或 0Value: 1 or 0
  2. 当此标志启用时,在设备上登录到你想要知道其应用程序包 ID 的 iOS 应用。When this flag is on, sign in to iOS apps on the device for which you want to know the bundle ID.

  3. 在 Authenticator 应用中,选择“帮助” > “发送日志” > “查看日志”。In the Authenticator app, select Help > Send logs > View logs.

  4. 在日志文件中,查找以下行:[ADMIN MODE] SSO extension has captured following app bundle identifiersIn the log file, look for following line: [ADMIN MODE] SSO extension has captured following app bundle identifiers. 此行应捕获 SSO 扩展可见的所有应用程序包 ID。This line should capture all application bundle IDs that are visible to the SSO extension.

使用应用程序包 ID 为应用配置 SSO。Use the bundle IDs to configure SSO for the apps.

允许用户从未知应用程序和 Safari 浏览器登录Allow users to sign in from unknown applications and the Safari browser

默认情况下,只有当用户从使用 Microsoft 标识平台库(如 MSAL 或 Azure Active Directory 身份验证库 (ADAL))的应用登录时,Microsoft 企业 SSO 插件才为已获授权的应用提供 SSO。By default, the Microsoft Enterprise SSO plug-in provides SSO for authorized apps only when a user has signed in from an app that uses a Microsoft identity platform library like MSAL or Azure Active Directory Authentication Library (ADAL). 当另一个使用 Microsoft 标识平台库的应用在 Microsoft 企业 SSO 插件获取新令牌的过程中将其调用时,该插件也会获得共享凭据。The Microsoft Enterprise SSO plug-in can also acquire a shared credential when it's called by another app that uses a Microsoft identity platform library during a new token acquisition.

启用 browser_sso_interaction_enabled 标志后,没有使用 Microsoft 标识平台库的应用可执行初始启动并获取共享凭据。When you enable the browser_sso_interaction_enabled flag, apps that don't use a Microsoft identity platform library can do the initial bootstrapping and get a shared credential. Safari 浏览器也可执行初始启动并获取共享凭据。The Safari browser can also do the initial bootstrapping and get a shared credential.

如果 Microsoft 企业 SSO 插件还没有共享凭据,则每当从 Safari 浏览器、ASWebAuthenticationSession、SafariViewController 或其他允许的本机应用程序中的 Azure AD URL 请求登录时,该插件都将尝试获取一个凭据。If the Microsoft Enterprise SSO plug-in doesn't have a shared credential yet, it will try to get one whenever a sign-in is requested from an Azure AD URL inside the Safari browser, ASWebAuthenticationSession, SafariViewController, or another permitted native application.

使用以下这些参数启用标志:Use these parameters to enable the flag:

  • 键:browser_sso_interaction_enabledKey: browser_sso_interaction_enabled
  • 类型:IntegerType: Integer
  • :1 或 0Value: 1 or 0

macOS 需要此设置,以便可用在所有应用中提供一致的体验。macOS requires this setting so it can provide a consistent experience across all apps. iOS 和 iPadOS 不需要此设置,因为大多数应用都使用 Authenticator 应用程序进行登录。iOS and iPadOS don't require this setting because most apps use the Authenticator application for sign-in. 但建议启用此设置,因为如果某些应用程序未在 iOS 或 iPadOS 上使用 Authenticator 应用,则此标志会改善体验。But we recommend that you enable this setting because if some of your applications don't use the Authenticator app on iOS or iPadOS, this flag will improve the experience. 默认情况下,此设置处于禁用状态。The setting is disabled by default.

禁止在初始启动过程中要求进行 MFADisable asking for MFA during initial bootstrapping

默认情况下,在初始启动过程中和获取共享凭据期间,Microsoft 企业 SSO 插件始终会提示用户进行 MFA。By default, the Microsoft Enterprise SSO plug-in always prompts the user for MFA during the initial bootstrapping and while getting a shared credential. 系统会提示用户进行 MFA,即使用户打开的应用程序并不需要。The user is prompted for MFA even if it's not required for the application that the user has opened. 此行为允许在所有其他应用程序中轻松使用共享凭据,而无需在以后需要 MFA 时提示用户。This behavior allows the shared credential to be easily used across all other applications without the need to prompt the user if MFA is required later. 由于在整体上减少了对用户的提示,因此此设置通常是一种很好的决策。Because the user gets fewer prompts overall, this setup is generally a good decision.

启用 browser_sso_disable_mfa 后,在初始启动过程中和获取共享凭据期间会关闭 MFA。Enabling browser_sso_disable_mfa turns off MFA during initial bootstrapping and while getting the shared credential. 在这种情况下,仅当应用程序或资源需要 MFA 时才会提示用户。In this case, the user is prompted only when MFA is required by an application or resource.

若要启用标志,请使用以下这些参数:To enable the flag, use these parameters:

  • 键:browser_sso_disable_mfaKey: browser_sso_disable_mfa
  • 类型:IntegerType: Integer
  • :1 或 0Value: 1 or 0

建议将此标志保持为禁用状态,因为它会减少提示用户登录的次数。We recommend keeping this flag disabled because it reduces the number of times the user is prompted to sign in. 如果组织很少使用 MFA,则你可能要启用该标志。If your organization rarely uses MFA, you might want to enable the flag. 但建议更频繁地使用 MFA。But we recommend that you use MFA more frequently instead. 因此,该标志在默认情况下处于禁用状态。For this reason, the flag is disabled by default.

禁用 OAuth 2 应用程序提示Disable OAuth 2 application prompts

Microsoft 企业 SSO 插件通过将共享凭据附加到来自允许的应用程序的网络请求中来提供 SSO。The Microsoft Enterprise SSO plug-in provides SSO by appending shared credentials to network requests that come from allowed applications. 但是,某些 OAuth 2 应用程序可能会在协议层上错误地强制执行最终用户提示。However, some OAuth 2 applications might incorrectly enforce end-user prompts at the protocol layer. 如果你遇到此问题,则还会发现对这些应用忽略了共享凭据。If you see this problem, you'll also see that shared credentials are ignored for those apps. 即使 Microsoft 企业 SSO 插件适用于其他应用程序,也会提示用户登录。Your user is prompted to sign in even though the Microsoft Enterprise SSO plug-in works for other applications.

启用 disable_explicit_app_prompt 标志会限制本机应用程序和 Web 应用程序在协议层上强制实施最终用户提示并绕过 SSO 的功能。Enabling the disable_explicit_app_prompt flag restricts the ability of both native applications and web applications to force an end-user prompt on the protocol layer and bypass SSO. 若要启用标志,请使用以下这些参数:To enable the flag, use these parameters:

  • 键:disable_explicit_app_promptKey: disable_explicit_app_prompt
  • 类型:IntegerType: Integer
  • :1 或 0Value: 1 or 0

建议启用此标志,跨所有应用获得一致的体验。We recommend enabling this flag to get a consistent experience across all apps. 此项默认禁用。It's disabled by default.

对特定应用程序启用通过 Cookie 进行 SSOEnable SSO through cookies for a specific application

一些应用可能与 SSO 扩展不兼容。A few apps might be incompatible with the SSO extension. 具体而言,具有高级网络设置的应用在启用进行 SSO 时可能会遇到意外问题。Specifically, apps that have advanced network settings might experience unexpected issues when they're enabled for SSO. 例如,你可能会看到指示网络请求被取消或中断的错误。For example, you might see an error indicating that network request was canceled or interrupted.

如果在使用不使用 MSAL 的应用程序部分中所述的方法登录时遇到问题,请尝试替代配置。If you have problems signing in by using the method described in the Applications that don't use MSAL section, try an alternative configuration. 使用以下这些参数配置插件:Use these parameters to configure the plug-in:

  • 键:AppCookieSSOAllowListKey: AppCookieSSOAllowList
  • 类型:StringType: String
  • 值:可加入 SSO 的应用程序的应用程序包 ID 前缀的逗号分隔列表。Value: Comma-delimited list of application bundle ID prefixes for the applications that are allowed to participate in the SSO. 以列出的前缀开头的所有应用都允许加入 SSO。All apps that start with the listed prefixes will be allowed to participate in SSO.
  • 示例com.contoso.myapp1, com.fabrikam.myapp2Example: com.contoso.myapp1, com.fabrikam.myapp2

使用此设置启用了 SSO 的应用程序需要同时添加到 AppCookieSSOAllowListAppPrefixAllowListApplications enabled for the SSO by using this setup need to be added to both AppCookieSSOAllowList and AppPrefixAllowList.

请仅对发生意外登录失败的应用程序尝试此配置。Try this configuration only for applications that have unexpected sign-in failures.

使用 Intune 简化配置Use Intune for simplified configuration

可以使用 Intune 作为 MDM 服务来方便配置 Microsoft 企业 SSO 插件。You can use Intune as your MDM service to ease configuration of the Microsoft Enterprise SSO plug-in. 例如,可以使用 Intune 启用该插件,并将旧应用添加到允许列表,以便它们实现 SSO。For example, you can use Intune to enable the plug-in and add old apps to an allowlist so they get SSO.

有关详细信息,请参阅 Intune 配置文档For more information, see the Intune configuration documentation.

在应用程序中使用 SSO 插件Use the SSO plug-in in your application

适用于 Apple 设备的 MSAL 1.1.0 及更高版本支持适用于 Apple 设备的 Microsoft 企业 SSO 插件。MSAL for Apple devices versions 1.1.0 and later supports the Microsoft Enterprise SSO plug-in for Apple devices. 建议为 Microsoft 企业 SSO 插件添加支持。It's the recommended way to add support for the Microsoft Enterprise SSO plug-in. 它可确保获取 Microsoft 标识平台的完整功能。It ensures you get the full capabilities of the Microsoft identity platform.

如果要为一线工作人员方案构建应用程序,请参阅适用于 iOS 设备的共享设备模式,以获取设置信息。If you're building an application for frontline-worker scenarios, see Shared device mode for iOS devices for setup information.

了解 SSO 插件的工作原理Understand how the SSO plug-in works

Microsoft 企业 SSO 插件依赖于 Apple 企业 SSO 框架The Microsoft Enterprise SSO plug-in relies on the Apple Enterprise SSO framework. 加入该框架的标识提供者可以拦截其域的网络流量,并改进或更改这些请求的处理方式。Identity providers that join the framework can intercept network traffic for their domains and enhance or change how those requests are handled. 例如,SSO 插件可以显示更多 UI,以安全方式收集最终用户凭据、需要进行 MFA 或以无提示方式向应用程序提供令牌。For example, the SSO plug-in can show more UIs to collect end-user credentials securely, require MFA, or silently provide tokens to the application.

本机应用程序还可以实现自定义操作,并直接与 SSO 插件进行通信。Native applications can also implement custom operations and communicate directly with the SSO plug-in.

使用 MSAL 的应用程序Applications that use MSAL

对于工作和学校帐户,适用于 Apple 设备的 MSAL 1.1.0 及更高版本在本机支持适用于 Apple 设备的 Microsoft 企业 SSO 插件。MSAL for Apple devices versions 1.1.0 and later supports the Microsoft Enterprise SSO plug-in for Apple devices natively for work and school accounts.

如果遵循所有建议的步骤并使用默认的重定向 URI 格式,则无需进行任何特殊配置。You don't need any special configuration if you followed all recommended steps and used the default redirect URI format. 在具有 SSO 插件的设备上,MSAL 会自动为所有交互式和无提示令牌请求调用它。On devices that have the SSO plug-in, MSAL automatically invokes it for all interactive and silent token requests. 还会为帐户枚举和帐户删除操作调用它。It also invokes it for account enumeration and account removal operations. 由于 MSAL 实现了依赖于自定义操作的本机 SSO 插件协议,此设置可为最终用户提供最流畅的本机体验。Because MSAL implements a native SSO plug-in protocol that relies on custom operations, this setup provides the smoothest native experience to the end user.

如果 MDM 未启用 SSO 插件,但设备上存在 Microsoft Authenticator 应用,则 MSAL 会为任何交互式令牌请求改用 Authenticator 应用。If the SSO plug-in isn't enabled by MDM but the Microsoft Authenticator app is present on the device, MSAL instead uses the Authenticator app for any interactive token requests. SSO 插件与 Authenticator 应用共享 SSO。The SSO plug-in shares SSO with the Authenticator app.

不使用 MSAL 的应用程序Applications that don't use MSAL

如果管理员将没有使用 Microsoft 标识平台库(例如 MSAL)的应用程序显式添加到允许列表中,那么这些应用程序仍可实现 SSO。Applications that don't use a Microsoft identity platform library, like MSAL, can still get SSO if an administrator adds these applications to the allowlist.

只要满足以下条件,便无需更改这些应用中的代码:You don't need to change the code in those apps as long as the following conditions are satisfied:

  • 应用程序使用 Apple 框架运行网络请求。The application uses Apple frameworks to run network requests. 例如,这些框架包括 WKWebViewNSURLSessionThese frameworks include WKWebView and NSURLSession, for example.
  • 应用程序使用标准协议与 Azure AD 通信。The application uses standard protocols to communicate with Azure AD. 例如,这些协议包括 OAuth 2、SAML 和 WS 联合身份验证。These protocols include, for example, OAuth 2, SAML, and WS-Federation.
  • 应用程序不在本机 UI 中收集纯文本用户名和密码。The application doesn't collect plaintext usernames and passwords in the native UI.

在这种情况下,应用程序创建网络请求并打开 Web 浏览器以让用户登录时,系统将提供 SSO。In this case, SSO is provided when the application creates a network request and opens a web browser to sign the user in. 用户重定向到 Azure AD 登录 URL 时,SSO 插件将验证 URL 并检查该 URL 是否有 SSO 凭据。When a user is redirected to an Azure AD sign-in URL, the SSO plug-in validates the URL and checks for an SSO credential for that URL. 如果找到凭据,则 SSO 插件会将凭据传递到 Azure AD,后者会授权应用程序完成网络请求,而无需要求用户输入凭据。If it finds the credential, the SSO plug-in passes it to Azure AD, which authorizes the application to complete the network request without asking the user to enter credentials. 此外,如果 Azure AD 知道该设备,那么 SSO 插件会传递设备证书,以满足基于设备的条件访问检查。Additionally, if the device is known to Azure AD, the SSO plug-in passes the device certificate to satisfy the device-based conditional access check.

为了支持非 MSAL 应用使用 SSO,SSO 插件实现了一个与什么是主刷新令牌?中所述的 Windows 浏览器插件类似的协议。To support SSO for non-MSAL apps, the SSO plug-in implements a protocol similar to the Windows browser plug-in described in What is a primary refresh token?.

与基于 MSAL 的应用相比,SSO 插件对非 MSAL 应用执行的操作更加透明。Compared to MSAL-based apps, the SSO plug-in acts more transparently for non-MSAL apps. 它与应用提供的现有浏览器登录体验集成。It integrates with the existing browser sign-in experience that apps provide.

最终用户会看到熟悉的体验,无需在每个应用程序中都再次登录。The end user sees the familiar experience and doesn't have to sign in again in each application. 例如,SSO 插件不会显示本机帐户选取器,而是将 SSO 会话添加到基于 Web 的帐户选取器体验中。For example, instead of displaying the native account picker, the SSO plug-in adds SSO sessions to the web-based account picker experience.

后续步骤Next steps

了解适用于 iOS 设备的共享设备模式Learn about Shared device mode for iOS devices.