MSAL for Java 中的 Active Directory 联合身份验证服务支持Active Directory Federation Services support in MSAL for Java

使用 Windows Server 中的 Active Directory 联合身份验证服务 (AD FS) 可将基于 OpenID Connect 和 OAuth 2.0 的身份验证与授权添加到适用于 Java 的 Microsoft 身份验证库 (MSAL for Java) 应用。Active Directory Federation Services (AD FS) in Windows Server enables you to add OpenID Connect and OAuth 2.0 based authentication and authorization to your Microsoft Authentication Library for Java (MSAL for Java) app. 集成后,应用即可对通过 Azure AD 进行联合的 AD FS 中的用户进行身份验证。Once integrated, your app can authenticate users in AD FS, federated through Azure AD. 有关方案的详细信息,请参阅面向开发人员的 AD FS 方案For more information about scenarios, see AD FS Scenarios for Developers.

使用 MSAL for Java 的应用将先与 Azure Active Directory (Azure AD) 通信,然后与 AD FS 联合。An app that uses MSAL for Java will talk to Azure Active Directory (Azure AD), which then federates to AD FS.

MSAL for Java 会连接到 Azure AD,后者可将在 Azure AD 中管理的用户(托管用户)或由其他标识提供者(例如 AD FS)管理的用户(联合用户)登录。MSAL for Java connects to Azure AD, which signs in users that are managed in Azure AD (managed users) or users managed by another identity provider such as AD FS (federated users). MSAL for Java 不知道用户是联合的。MSAL for Java doesn't know that a user is federated. 它直接与 Azure AD 通信。It simply talks to Azure AD.

在本案例中使用的机构是普通的机构(机构主机名 + 租户、通用机构或组织)。The authority you use in this case is the usual authority (authority host name + tenant, common, or organizations).

以交互方式获取联合用户的令牌Acquire a token interactively for a federated user

使用 AuthorizationCodeParametersDeviceCodeParameters 调用 ConfidentialClientApplication.AcquireToken()PublicClientApplication.AcquireToken() 时,用户体验通常是:When you call ConfidentialClientApplication.AcquireToken() or PublicClientApplication.AcquireToken() with AuthorizationCodeParameters or DeviceCodeParameters, the user experience is typically:

  1. 用户输入其帐户 ID。The user enters their account ID.
  2. Azure AD 简要显示“将你转到组织的页面”,然后系统就会将用户重定向到标识提供者的登录页。Azure AD briefly displays "Taking you to your organization's page", and the user is redirected to the sign-in page of the identity provider. 登录页通常已使用组织的徽标进行自定义。The sign-in page is usually customized with the logo of the organization.

此联合方案支持的 AD FS 版本为:The supported AD FS versions in this federated scenario are:

  • Active Directory 联合身份验证服务 FS v2Active Directory Federation Services FS v2
  • Active Directory 联合身份验证服务 v3 (Windows Server 2012 R2)Active Directory Federation Services v3 (Windows Server 2012 R2)
  • Active Directory 联合身份验证服务 v4 (AD FS 2016)Active Directory Federation Services v4 (AD FS 2016)

通过用户名和密码获取令牌Acquire a token via username and password

通过将 ConfidentialClientApplication.AcquireToken()PublicClientApplication.AcquireToken()IntegratedWindowsAuthenticationParametersUsernamePasswordParameters 配合使用来获取令牌时,MSAL for Java 会让标识提供者根据用户名进行联系。When you acquire a token using ConfidentialClientApplication.AcquireToken() or PublicClientApplication.AcquireToken() with IntegratedWindowsAuthenticationParameters or UsernamePasswordParameters, MSAL for Java gets the identity provider to contact based on the username. MSAL for Java 从标识提供者处获取 SAML 1.1 令牌,然后将其提供给 Azure AD,后者会返回 JSON Web 令牌 (JWT)。MSAL for Java gets a SAML 1.1 token token from the identity provider, which it then provides to Azure AD which returns the JSON Web Token (JWT).