MSAL.NET 中的 Active Directory 联合身份验证服务支持Active Directory Federation Services support in MSAL.NET

使用 Windows Server 中的 Active Directory 联合身份验证服务 (AD FS) 可将基于 OpenID Connect 和 OAuth 2.0 的身份验证与授权添加到开发中的应用程序。Active Directory Federation Services (AD FS) in Windows Server enables you to add OpenID Connect and OAuth 2.0 based authentication and authorization to applications you are developing. 然后,这些应用程序可以根据 AD FS 直接对用户进行身份验证。Those applications can, then, authenticate users directly against AD FS. 有关详细信息,请阅读面向开发人员的 AD FS 方案For more information, read AD FS Scenarios for Developers.

适用于 .NET 的 Microsoft 身份验证库 (MSAL.NET) 支持根据 AD FS 使用两种身份验证方案:Microsoft Authentication Library for .NET (MSAL.NET) supports two scenarios for authenticating against AD FS:

  • MSAL.NET 与 Azure Active Directory 通信,后者本身已与 AD FS 联合。 MSAL.NET talks to Azure Active Directory, which itself is federated with AD FS.
  • MSAL.NET 直接与 ADFS 机构通信。 MSAL.NET talks directly to an ADFS authority. 只有 AD FS 2019 及更高版本才支持此功能。This is only supported from AD FS 2019 and above. 本文重点介绍的方案之一是 Azure Stack 支持One of the scenarios this highlights is Azure Stack support

MSAL 连接到已与 AD FS 联合的 Azure ADMSAL connects to Azure AD, which is federated with AD FS

MSAL.NET 支持连接到 Azure AD,后者可将托管用户(在 Azure AD 中管理的用户)或联合用户(由其他标识提供者(例如 AD FS)管理的用户)登录。MSAL.NET supports connecting to Azure AD, which signs in managed-users (users managed in Azure AD) or federated users (users managed by another identity provider such as AD FS). MSAL.NET 不知道用户已联合这一事实。MSAL.NET does not know about the fact that users are federated. 只要需要某种信息,它就会与 Azure AD 通信。As far as it’s concerned, it talks to Azure AD.

在本案例中使用的机构是普通的机构(机构主机名 + 租户、通用机构或组织)。The authority you use in this case is the usual authority (authority host name + tenant, common, or organizations).

以交互方式获取令牌Acquiring a token interactively

调用 AcquireTokenInteractive 方法时,用户体验通常是:When you call the AcquireTokenInteractive method, the user experience is typically:

  1. 用户输入其帐户 ID。The user enters their account ID.
  2. Azure AD 短暂显示消息“正在将你转到组织页面”。Azure AD displays briefly the message "Taking you to your organization's page".
  3. 用户重定向到标识提供者的登录页。The user is redirected to the sign-in page of the identity provider. 登录页通常已使用组织的徽标进行自定义。The sign-in page is usually customized with the logo of the organization.

此联合方案支持的 AD FS 版本为 AD FS v2、AD FS v3 (Windows Server 2012 R2) 和 AD FS v4 (AD FS 2016)。Supported AD FS versions in this federated scenario are AD FS v2, AD FS v3 (Windows Server 2012 R2), and AD FS v4 (AD FS 2016).

使用 AcquireTokenByIntegratedAuthentication 或 AcquireTokenByUsernamePassword 获取令牌Acquiring a token using AcquireTokenByIntegratedAuthentication or AcquireTokenByUsernamePassword

使用 AcquireTokenByIntegratedAuthenticationAcquireTokenByUsernamePassword 方法获取令牌时,MSAL.NET 会让标识提供者根据用户名进行联系。When acquiring a token using the AcquireTokenByIntegratedAuthentication or AcquireTokenByUsernamePassword methods, MSAL.NET gets the identity provider to contact based on the username. MSAL.NET 在联系标识提供者后接收 SAML 1.1 令牌。MSAL.NET receives a SAML 1.1 token after contacting the identity provider. 然后,MSAL.NET 将 SAML 令牌以用户断言的形式提供给 Azure AD(类似于代理流),以取回 JWT。MSAL.NET then provides the SAML token to Azure AD as a user assertion (similar to the on-behalf-of flow) to get back a JWT.

MSAL 直接连接到 AD FSMSAL connects directly to AD FS

MSAL.NET 支持连接到 AD FS 2019,后者符合 Open ID Connect 规范并了解 PKCE 和范围。MSAL.NET supports connecting to AD FS 2019, which is Open ID Connect compliant and understands PKCE and scopes. 此项支持要求将服务包 KB 4490481 应用到 Windows Server。This support requires that a service pack KB 4490481 is applied to Windows Server. 直接连接到 AD FS 时,用于生成应用程序的机构类似于 https://mysite.contoso.com/adfs/When connecting directly to AD FS, the authority you'll want to use to build your application is similar to https://mysite.contoso.com/adfs/.

目前,我们尚未计划支持与以下版本建立直接连接:Currently, there are no plans to support a direct connection to:

  • AD FS 16,因为它不支持 PKCE,仍在使用资源而不是范围AD FS 16, as it doesn't support PKCE and still uses resources, not scope
  • AD FS v2,因为它不符合 OIDC 规范。AD FS v2, which is not OIDC-compliant.

如果需要支持直接连接 AD FS 2016 的方案,请使用最新版本的 Azure Active Directory 身份验证库If you need to support scenarios requiring a direct connection to AD FS 2016, use the latest version of Azure Active Directory Authentication Library. 将本地系统升级到 AD FS 2019 后,即可使用 MSAL.NET。When you have upgraded your on-premises system to AD FS 2019, you'll be able to use MSAL.NET.