联合元数据Federation metadata

对于配置为接受 Azure Active Directory 颁发的安全令牌的服务,Azure Active Directory (Azure AD) 发布了一个联合元数据文档。Azure Active Directory (Azure AD) publishes a federation metadata document for services that is configured to accept the security tokens that Azure AD issues. Web Services 联合身份验证语言(WS 联合身份验证)版本 1.2 中介绍了联合元数据文档格式,该文章还扩展了 OASIS 安全断言标记语言 (SAML) v2.0 元数据The federation metadata document format is described in the Web Services Federation Language (WS-Federation) Version 1.2, which extends Metadata for the OASIS Security Assertion Markup Language (SAML) v2.0.

特定于租户和独立于租户的元数据终结点Tenant-specific and Tenant-independent metadata endpoints

Azure AD 发布了特定于租户和独立于租户的终结点。Azure AD publishes tenant-specific and tenant-independent endpoints.

特定于租户的终结点面向特定的租户。Tenant-specific endpoints are designed for a particular tenant. 特定于租户的联合元数据包含有关租户的信息,包括特定于租户的颁发者和终结点信息。The tenant-specific federation metadata includes information about the tenant, including tenant-specific issuer and endpoint information. 限制访问单个租户的应用程序使用特定于租户的终结点。Applications that restrict access to a single tenant use tenant-specific endpoints.

独立于租户的终结点提供所有 Azure AD 租户通用的信息。Tenant-independent endpoints provide information that is common to all Azure AD tenants. 此信息适用于托管在 login.partner.microsoftonline.cn 上的租户,并在租户间共享。This information applies to tenants hosted at login.partner.microsoftonline.cn and is shared across tenants. 对于多租户应用程序,建议使用独立于租户的终结点,因为它们不与任何特定租户相关联。Tenant-independent endpoints are recommended for multi-tenant applications, since they are not associated with any particular tenant.

联合元数据终结点Federation metadata endpoints

Azure AD 会在 https://login.partner.microsoftonline.cn/<TenantDomainName>/FederationMetadata/2007-06/FederationMetadata.xml上发布联合元数据。Azure AD publishes federation metadata at https://login.partner.microsoftonline.cn/<TenantDomainName>/FederationMetadata/2007-06/FederationMetadata.xml.

对于特定于租户的终结点,TenantDomainName 可以是以下类型之一: For tenant-specific endpoints, the TenantDomainName can be one of the following types:

  • Azure AD 租户的已注册域名,例如: contoso.partner.onmschina.cnA registered domain name of an Azure AD tenant, such as: contoso.partner.onmschina.cn.
  • 域的不可变租户 ID,例如 72f988bf-86f1-41af-91ab-2d7cd011db45The immutable tenant ID of the domain, such as 72f988bf-86f1-41af-91ab-2d7cd011db45.

对于独立于租户的终结点,TenantDomainNamecommonFor tenant-independent endpoints, the TenantDomainName is common. 此文档仅列出了托管在 login.partner.microsoftonline.cn 上的所有 Azure AD 租户通用的联合元数据元素。This document lists only the Federation Metadata elements that are common to all Azure AD tenants that are hosted at login.partner.microsoftonline.cn.

例如,特定于租户的终结点可以是 https://login.partner.microsoftonline.cn/contoso.partner.onmschina.cn/FederationMetadata/2007-06/FederationMetadata.xmlFor example, a tenant-specific endpoint might be https://login.partner.microsoftonline.cn/contoso.partner.onmschina.cn/FederationMetadata/2007-06/FederationMetadata.xml. 独立于租户的终结点为 https://login.partner.microsoftonline.cn/common/FederationMetadata/2007-06/FederationMetadata.xmlThe tenant-independent endpoint is https://login.partner.microsoftonline.cn/common/FederationMetadata/2007-06/FederationMetadata.xml. 可以在浏览器中键入此 URL 以查看联合元数据文档。You can view the federation metadata document by typing this URL in a browser.

联合元数据的内容Contents of federation Metadata

以下部分提供使用 Azure AD 颁发的令牌的服务所需的信息。The following section provides information needed by services that consume the tokens issued by Azure AD.

实体 IDEntity ID

EntityDescriptor 元素包含 EntityID 属性。The EntityDescriptor element contains an EntityID attribute. EntityID 属性的值表示颁发者,即颁发令牌的安全令牌服务 (STS)。The value of the EntityID attribute represents the issuer, that is, the security token service (STS) that issued the token. 请务必在收到令牌时验证颁发者。It is important to validate the issuer when you receive a token.

以下元数据显示了包含 EntityID 元素的特定于租户的 EntityDescriptor 元素示例。The following metadata shows a sample tenant-specific EntityDescriptor element with an EntityID element.

<EntityDescriptor
xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
ID="_b827a749-cfcb-46b3-ab8b-9f6d14a1294b"
entityID="https://sts.chinacloudapi.cn/72f988bf-86f1-41af-91ab-2d7cd011db45/">

可以将独立于租户的终结点中的租户 ID 替换为租户 ID,以创建特定于租户的 EntityID 值。You can replace the tenant ID in the tenant-independent endpoint with your tenant ID to create a tenant-specific EntityID value. 生成的值将与令牌颁发者的值相同。The resulting value will be the same as the token issuer. 该策略允许多租户应用程序验证给定租户的颁发者。The strategy allows a multi-tenant application to validate the issuer for a given tenant.

以下元数据显示了独立于租户的 EntityID 元素的示例。The following metadata shows a sample tenant-independent EntityID element. 请注意, {tenant} 是文本而不是占位符。Please note, that the {tenant} is a literal, not a placeholder.

<EntityDescriptor
xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
ID="="_0e5bd9d0-49ef-4258-bc15-21ce143b61bd"
entityID="https://sts.chinacloudapi.cn/{tenant}/">

令牌签名证书Token signing certificates

当服务收到 Azure AD 租户颁发的令牌时,必须使用联合元数据文档中发布的签名密钥来验证该令牌的签名。When a service receives a token that is issued by an Azure AD tenant, the signature of the token must be validated with a signing key that is published in the federation metadata document. 联合元数据包含租户用来进行令牌签名的证书的公共部分。The federation metadata includes the public portion of the certificates that the tenants use for token signing. 证书原始字节显示在 KeyDescriptor 元素中。The certificate raw bytes appear in the KeyDescriptor element. 仅当 use 属性值为 signing 时,才可以使用令牌签名证书进行签名。The token signing certificate is valid for signing only when the value of the use attribute is signing.

Azure AD 发布的联合元数据文档可以包含多个签名密钥,例如,当 Azure AD 准备更新签名证书时。A federation metadata document published by Azure AD can have multiple signing keys, such as when Azure AD is preparing to update the signing certificate. 如果联合元数据文档包含多个证书,验证令牌的服务应该支持文档中的所有证书。When a federation metadata document includes more than one certificate, a service that is validating the tokens should support all certificates in the document.

以下元数据显示了一个包含签名密钥的 KeyDescriptor 元素的示例。The following metadata shows a sample KeyDescriptor element with a signing key.

<KeyDescriptor use="signing">
<KeyInfo xmlns="https://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>
MIIDPjCCAiqgAwIBAgIQVWmXY/+9RqFA/OG9kFulHDAJBgUrDgMCHQUAMC0xKzApBgNVBAMTImFjY291bnRzLmFjY2Vzc2NvbnRyb2wud2luZG93cy5uZXQwHhcNMTIwNjA3MDcwMDAwWhcNMTQwNjA3MDcwMDAwWjAtMSswKQYDVQQDEyJhY2NvdW50cy5hY2Nlc3Njb250cm9sLndpbmRvd3MubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArCz8Sn3GGXmikH2MdTeGY1D711EORX/lVXpr+ecGgqfUWF8MPB07XkYuJ54DAuYT318+2XrzMjOtqkT94VkXmxv6dFGhG8YZ8vNMPd4tdj9c0lpvWQdqXtL1TlFRpD/P6UMEigfN0c9oWDg9U7Ilymgei0UXtf1gtcQbc5sSQU0S4vr9YJp2gLFIGK11Iqg4XSGdcI0QWLLkkC6cBukhVnd6BCYbLjTYy3fNs4DzNdemJlxGl8sLexFytBF6YApvSdus3nFXaMCtBGx16HzkK9ne3lobAwL2o79bP4imEGqg+ibvyNmbrwFGnQrBc1jTF9LyQX9q+louxVfHs6ZiVwIDAQABo2IwYDBeBgNVHQEEVzBVgBCxDDsLd8xkfOLKm4Q/SzjtoS8wLTErMCkGA1UEAxMiYWNjb3VudHMuYWNjZXNzY29udHJvbC53aW5kb3dzLm5ldIIQVWmXY/+9RqFA/OG9kFulHDAJBgUrDgMCHQUAA4IBAQAkJtxxm/ErgySlNk69+1odTMP8Oy6L0H17z7XGG3w4TqvTUSWaxD4hSFJ0e7mHLQLQD7oV/erACXwSZn2pMoZ89MBDjOMQA+e6QzGB7jmSzPTNmQgMLA8fWCfqPrz6zgH+1F1gNp8hJY57kfeVPBiyjuBmlTEBsBlzolY9dd/55qqfQk6cgSeCbHCy/RU/iep0+UsRMlSgPNNmqhj5gmN2AFVCN96zF694LwuPae5CeR2ZcVknexOWHYjFM0MgUSw0ubnGl0h9AJgGyhvNGcjQqu9vd1xkupFgaN+f7P3p3EVN5csBg5H94jEcQZT7EKeTiZ6bTrpDAnrr8tDCy8ng
</X509Certificate>
</X509Data>
</KeyInfo>
</KeyDescriptor>

KeyDescriptor 元素出现在联合元数据文档中的两个位置:特定于 WS 联合身份验证的部分中,以及特定于 SAML 的部分中。The KeyDescriptor element appears in two places in the federation metadata document; in the WS-Federation-specific section and the SAML-specific section. 在这两个部分中发布的证书将是相同的。The certificates published in both sections will be the same.

在特定于 WS 联合身份验证的部分中,WS 联合身份验证元数据读取器将读取 SecurityTokenServiceType 类型的 RoleDescriptor 元素中的证书。In the WS-Federation-specific section, a WS-Federation metadata reader would read the certificates from a RoleDescriptor element with the SecurityTokenServiceType type.

以下元数据显示了一个 RoleDescriptor 元素示例。The following metadata shows a sample RoleDescriptor element.

<RoleDescriptor xmlns:xsi="https://www.w3.org/2001/XMLSchema-instance" xmlns:fed="https://docs.oasis-open.org/wsfed/federation/200706" xsi:type="fed:SecurityTokenServiceType"protocolSupportEnumeration="https://docs.oasis-open.org/wsfed/federation/200706">

在特定于 SAML 的部分中,WS 联合身份验证元数据读取器读取 IDPSSODescriptor 元素中的证书。In the SAML-specific section, a WS-Federation metadata reader would read the certificates from a IDPSSODescriptor element.

以下元数据显示了一个 IDPSSODescriptor 元素示例。The following metadata shows a sample IDPSSODescriptor element.

<IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">

特定于租户和独立于租户的证书格式没有差别。There are no differences in the format of tenant-specific and tenant-independent certificates.

WS 联合身份验证终结点 URLWS-Federation endpoint URL

联合元数据包括 Azure AD 用于在 WS 联合身份验证协议中进行单一登录和单一注销的 URL。The federation metadata includes the URL that is Azure AD uses for single sign-in and single sign-out in WS-Federation protocol. 此终结点显示在 PassiveRequestorEndpoint 元素中。This endpoint appears in the PassiveRequestorEndpoint element.

以下元数据显示了特定于租户的终结点的 PassiveRequestorEndpoint 元素示例。The following metadata shows a sample PassiveRequestorEndpoint element for a tenant-specific endpoint.

<fed:PassiveRequestorEndpoint>
<EndpointReference xmlns="https://www.w3.org/2005/08/addressing">
<Address>
https://login.partner.microsoftonline.cn/72f988bf-86f1-41af-91ab-2d7cd011db45/wsfed
</Address>
</EndpointReference>
</fed:PassiveRequestorEndpoint>

对于独立于租户的终结点,WS 联合身份验证 URL 显示在 WS 联合身份验证终结点中,如以下示例中所示。For the tenant-independent endpoint, the WS-Federation URL appears in the WS-Federation endpoint, as shown in the following sample.

<fed:PassiveRequestorEndpoint>
<EndpointReference xmlns="https://www.w3.org/2005/08/addressing">
<Address>
https://login.partner.microsoftonline.cn/common/wsfed
</Address>
</EndpointReference>
</fed:PassiveRequestorEndpoint>

SAML 协议终结点 URLSAML protocol endpoint URL

联合元数据包括 Azure AD 用于在 SAML 2.0 协议中进行单一登录和单一注销的 URL。The federation metadata includes the URL that Azure AD uses for single sign-in and single sign-out in SAML 2.0 protocol. 这些终结点显示在 IDPSSODescriptor 元素中。These endpoints appear in the IDPSSODescriptor element.

登录和注销 URL 分别显示在 SingleSignOnServiceSingleLogoutService 元素中。The sign-in and sign-out URLs appear in the SingleSignOnService and SingleLogoutService elements.

以下元数据显示了特定于租户的终结点的 PassiveResistorEndpoint 示例。The following metadata shows a sample PassiveResistorEndpoint for a tenant-specific endpoint.

<IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
…
    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://login.partner.microsoftonline.cn/contoso.partner.onmschina.cn/saml2" />
    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://login.partner.microsoftonline.cn/contoso.partner.onmschina.cn /saml2" />
  </IDPSSODescriptor>

同样,通用 SAML 2.0 协议终结点的终结点发布在独立于租户的联合元数据中,如以下示例中所示。Similarly the endpoints for the common SAML 2.0 protocol endpoints are published in the tenant-independent federation metadata, as shown in the following sample.

<IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
…
    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://login.partner.microsoftonline.cn/common/saml2" />
    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://login.partner.microsoftonline.cn/common/saml2" />
  </IDPSSODescriptor>