在混合体系结构中构建复原能力Build resilience in your hybrid architecture

混合身份验证允许用户使用其在本地管理的标识来访问基于云的资源。Hybrid authentication allows users to access cloud-based resources with their identities mastered on-premises. 混合基础结构包括云组件和本地组件。A hybrid infrastructure includes both cloud and on-premises components.

  • 云组件包括 Azure AD、Azure 资源和服务、组织的基于云的应用和 SaaS 应用程序。Cloud components include Azure AD, Azure resources and services, your organization’s cloud-based apps, and SaaS applications.

  • 本地组件包括本地应用程序、资源(例如 SQL 数据库)和标识提供者(例如 Windows Server Active Directory)。On-premises components include on-premises applications, resources like SQL databases, and an identity provider like Windows Server Active Directory.

重要

规划混合基础结构的复原能力时,关键是要尽量减少依赖项和单一故障点。As you plan for resilience in your hybrid infrastructure, it’s key to minimize dependencies and single points of failure.

Microsoft 提供三种混合身份验证机制。Microsoft offers three mechanisms for hybrid authentication. 这些选项按复原能力顺序列出。The options are listed in order of resilience. 建议尽可能实现密码哈希同步。We recommend that you implement password hash synchronization if possible.

  • 密码哈希同步 (PHS) 使用 Azure AD Connect 将标识和密码哈希同步到 Azure AD,使用户能够使用本地管理的密码登录到基于云的资源。Password hash synchronization (PHS) uses Azure AD Connect to sync the identity and a hash of the hash of the password to Azure AD, enabling users to sign-in to cloud-based resources with their password mastered on-premises. PHS 具有本地依赖项,仅用于同步,不用于身份验证。PHS has on-premises dependencies only for synchronization, not for authentication.

  • 联合身份验证客户部署联合身份验证服务(例如 AD FS),然后 Azure AD 验证联合身份验证服务生成的 SAML 断言。Federation customers deploy a federation service such as AD FS, and then Azure AD validates the SAML assertion produced by the federation service. 联合身份验证对本地基础结构的依赖性最高,因此故障点更多。Federation has the highest dependency on on-premises infrastructure, and therefore more failure points.

你可能会在组织中使用这些方法中的一种或多种。‎You may be using one or more of these methods in your organization. 本文包含一个决策树,可帮助你决定如何选择这些方法。This article contains a decision tree that can help you decide on your methodology.

密码哈希同步Password hash synchronization

Azure AD 最简单、最易复原的混合身份验证选项是密码哈希同步,它在处理身份验证请求时没有任何本地标识基础结构依赖项。The simplest and most resilient hybrid authentication option for Azure AD is Password Hash Synchronization which does not have any on-premises identity infrastructure dependency when processing authentication requests. 在将具有密码哈希的标识同步到 Azure AD 后,用户即可不依赖本地标识组件,向云资源进行身份验证。Once identities with password hashes are synchronized to Azure AD, users can authenticate to cloud resources with no dependency on the on-premises identity components.

PHS 体系结构关系图

如果选择此身份验证选项,当本地标识组件不可用时,不会出现中断。If you choose this authentication option, you will not experience disruption when on-premises identity components become unavailable. 发生本地中断的原因有很多,包括硬件故障、电源中断、自然灾害和恶意软件攻击。On-premises disruption can occur for many reasons, including hardware failure, power outages, natural disasters, and malware attacks.

如何实现 PHS?How do I implement PHS?

若要实现 PHS,请参阅以下资源:To implement PHS, see the following resources:

联合Federation

联合身份验证涉及在 Azure AD 与联合身份验证服务之间创建信任关系,其中包括终结点、令牌签名证书和其他元数据的交换。Federation involves the creation of a trust relationship between Azure AD and the federation service, which includes the exchange of endpoints, token signing certificates, and other metadata. 请求进入 Azure AD 时,它会读取配置,并将用户重定向到配置的终结点。When a request comes to Azure AD, it reads the configuration and redirects the user to the endpoints configured. 此时,用户将与联合身份验证服务进行交互,后者会发出由 Azure AD 验证的 SAML 断言。At that point, the user interacts with the federation service, which issues a SAML assertion that is validated by Azure AD.

下图显示了企业 Active Directory 联合身份验证服务 (AD FS) 的拓扑,该部署包含跨多个本地数据中心的冗余联合身份验证和 Web 应用程序代理服务器。The following diagram shows a topology of an enterprise Active Directory Federation Services (AD FS), deployment that includes redundant federation and web application proxy servers across multiple on-premises data centers. 此配置依赖于企业网络基础结构组件,例如 DNS、具有地理关联功能的网络负载均衡、防火墙等。所有本地组件和连接都容易出现故障。This configuration relies on enterprise networking infrastructure components like DNS, Network Load Balancing with geo-affinity capabilities, firewalls, etc. All on-premises components and connections are susceptible to failure. 有关详细信息,请访问 AD FS 产能规划文档Visit the AD FS Capacity Planning Documentation for more information.

备注

联合身份验证的本地依赖项最多,因此潜在的故障点也最多。Federation has the highest number of on-premises dependencies, and therefore the most potential points of failure. 虽然此图显示的是 AD FS,但其他本地标识提供者可能会根据类似的设计注意事项来实现高可用性、可伸缩性和故障转移。While this diagram shows AD FS, other on-premises identity providers are subject to similar design considerations to achieve high availability, scalability, and fail over.

联合身份验证的体系结构关系图

如何实现联合身份验证?How do I implement federation?

如果要实现联合身份验证策略,或者想使其更易复原,请参阅以下资源。If you are implementing a federated authentication strategy or want to make it more resilient, see the following resources.

后续步骤Next steps

面向管理员和架构师的复原能力资源Resilience resources for administrators and architects

面向开发人员的复原能力资源Resilience resources for developers