Azure Stack 的标识体系结构Identity architecture for Azure Stack

选择要与 Azure Stack 配合使用的标识提供者时,应了解 Azure Active Directory (Azure AD) 的选项与 Active Directory 联合身份验证服务 (AD FS) 的选项之间的重要区别。When choosing an identity provider to use with Azure Stack, you should understand the important differences between the options of Azure Active Directory (Azure AD) and Active Directory Federation Services (AD FS).

功能和限制Capabilities and limitations

选择的标识提供者可能会限制可用的选项,包括对多租户的支持。The identity provider that you choose can limit your options, including support for multi-tenancy.

功能或方案Capability or scenario Azure ADAzure AD AD FSAD FS
连接到 InternetConnected to the internet Yes 可选Optional
对多租户的支持Support for multi-tenancy Yes No
在市场中提供商品Offer items in the Marketplace Yes 是(需要使用脱机市场联合工具)Yes (requires use of the offline Marketplace Syndication tool)
对 Active Directory 身份验证库 (ADAL) 的支持Support for Active Directory Authentication Library (ADAL) Yes Yes
支持 Azure CLI、Visual Studio 和 PowerShell 等工具Support for tools such as Azure CLI, Visual Studio, and PowerShell Yes Yes
通过 Azure 门户创建服务主体Create service principals through the Azure portal Yes No
使用证书创建服务主体Create service principals with certificates Yes Yes
使用机密(密钥)创建服务主体Create service principals with secrets (keys) Yes Yes
应用程序可以使用 Graph 服务Applications can use the Graph service Yes No
应用程序可以将标识提供程序用于登录Applications can use identity provider for sign-in Yes 是(要求应用与本地 AD FS 实例联合)Yes (requires apps to federate with on-premises AD FS instances)

拓扑Topologies

以下部分介绍可用的各种标识拓扑。The following sections discuss the different identity topologies that you can use.

Azure AD:单租户拓扑Azure AD: single-tenant topology

默认情况下,当安装 Azure Stack 并使用 Azure AD 时,Azure Stack 使用单租户拓扑。By default, when you install Azure Stack and use Azure AD, Azure Stack uses a single-tenant topology.

单租户拓扑非常适用于下列情况:A single-tenant topology is useful when:

  • 所有用户都属于同一租户。All users are part of the same tenant.
  • 服务提供程序托管着组织的 Azure Stack 实例。A service provider hosts an Azure Stack instance for an organization.

结合 Azure AD 的 Azure Stack 单租户拓扑

此拓扑具有以下特征:This topology features the following characteristics:

  • Azure Stack 将所有应用和服务注册到同一 Azure AD 租户目录。Azure Stack registers all apps and services to the same Azure AD tenant directory.
  • Azure Stack 仅对该目录中的用户和应用(包括令牌)进行身份验证。Azure Stack authenticates only the users and apps from that directory, including tokens.
  • 管理员(云操作员)和租户用户的标识位于同一目录租户中。Identities for administrators (cloud operators) and tenant users are in the same directory tenant.
  • 若要使其他目录中的用户能够访问此 Azure Stack 环境,必须将用户作为来宾邀请到该租户目录。To enable a user from another directory to access this Azure Stack environment, you must invite the user as a guest to the tenant directory.

Azure AD:多租户拓扑Azure AD: multi-tenant topology

云操作员可以将 Azure Stack 配置为允许一个或多个组织中的租户访问应用。Cloud operators can configure Azure Stack to allow access to apps by tenants from one or more organizations. 用户通过 Azure Stack 用户门户访问应用。Users access apps through the Azure Stack user portal. 在此配置中,管理员门户(由云操作员使用)仅限单个目录中的用户访问。In this configuration, the administrator portal (used by the cloud operator) is limited to users from a single directory.

多租户拓扑非常适用于下列情况:A multi-tenant topology is useful when:

  • 服务提供商希望允许多个组织中的用户访问 Azure Stack。A service provider wants to allow users from multiple organizations to access Azure Stack.

结合 Azure AD 的 Azure Stack 多租户拓扑

此拓扑具有以下特征:This topology features the following characteristics:

  • 对资源的访问权限应当以组织为单位。Access to resources should be on a per-organization basis.
  • 一个组织中的用户不应当能够向其组织外部的用户授予对资源的访问权限。Users from one organization should be unable to grant access to resources to users who are outside their organization.
  • 管理员(云操作员)标识可以位于与用户标识所在目录租户不同的目录租户中。Identities for administrators (cloud operators) can be in a separate directory tenant from the identities for users. 此分离在标识提供者级别提供了帐户隔离。This separation provides account isolation at the identity provider level.

AD FSAD FS

当以下任一情况属实时,需要使用 AD FS 拓扑:The AD FS topology is required when either of the following conditions is true:

  • Azure Stack 不会连接到 Internet。Azure Stack doesn't connect to the internet.
  • Azure Stack 可以连接到 Internet,但你选择为标识提供者使用 AD FS。Azure Stack can connect to the internet, but you choose to use AD FS for your identity provider.

使用 AD FS 的 Azure Stack 拓扑

此拓扑具有以下特征:This topology features the following characteristics:

  • 为了支持在生产环境中使用此拓扑,必须通过联合信任将内置的 Azure Stack AD FS 实例与由 Active Directory 提供支持的现有 AD FS 实例进行集成。To support the use of this topology in production, you must integrate the built-in Azure Stack AD FS instance with an existing AD FS instance that's backed by Active Directory, through a federation trust.

  • 可将 Azure Stack 中的 Graph 服务与现有的 Active Directory 实例集成。You can integrate the Graph service in Azure Stack with your existing Active Directory instance. 还可以使用基于 OData 的图形 API 服务,该服务支持与 Azure AD 图形 API 一致的 API。You can also use the OData-based Graph API service that supports APIs that are consistent with the Azure AD Graph API.

    若要与 Active Directory 实例交互,图形 API 要求使用 Active Directory 实例中拥有只读权限的用户凭据。To interact with your Active Directory instance, the Graph API requires user credentials from your Active Directory instance that have read-only permissions.

    • 内置的 AD FS 实例基于 Windows Server 2016。The built-in AD FS instance is based on Windows Server 2016.
    • AD FS 和 Active Directory 实例必须基于 Windows Server 2012 或更高版本。Your AD FS and Active Directory instances must be based on Windows Server 2012 or later.

    Active Directory 实例与内置 AD FS 实例之间的交互不限于 OpenID Connect,两者可以使用相互支持的任何协议。Between your Active Directory instance and the built-in AD FS instance, interactions aren't restricted to OpenID Connect, and they can use any mutually supported protocol.

    • 在本地 Active Directory 实例中创建和管理用户帐户。User accounts are created and managed in your on-premises Active Directory instance.
    • 在内置 Active Directory 实例中管理应用的服务主体和注册。Service principals and registrations for apps are managed in the built-in Active Directory instance.

后续步骤Next steps