使用 Azure AD 和 MSAL 的 SPA 应用之间的 SSO
SSO between SPA apps using Azure AD and MSAL
我们有一堆单页应用程序并像 appA.xyz-corp.com 和 appB.xyz-corp.com 一样部署它们。我们如何配置 Msal javascript 以便用户不必登录每个应用程序。我们已经尝试了这里提到的方法 https://github.com/AzureAD/microsoft-authentication-library-for-js/wiki/Sso 。但是,会话存储按域 "appA.xyz-corp.com" 存储信息,而不是使用子域 "xyz.com"。对于使用 msal.js 的多个单页应用程序和用户跨应用程序无缝登录的最佳实践,我们将不胜感激。
wiki you mentioned 也有一些关于这种多域场景的信息。本质上,您需要捕获首选用户名并将其与登录请求一起发送。要同时捕获所有应用程序的用户名,我建议将其存储在所有应用程序都知道的域范围 cookie 中。
// Store the username after login
document.cookie = "msal_username=Paul@xyz-corp.com;domain=.xyz-corp.com;path=/"
// use the username
var username = getCookieByName("msal_username"); // find some code to do that
userAgentApplication.loginRedirect(scopes, "&login_hint=" + username);
这样做的缺点是您需要在 所有 您的应用程序中实现它。
Applications on different domain
When applications are hosted on different domains, the tokens cached on domain A cannot be accessed by MSAL.js in domain B.
Automatically select account on Azure AD
...
Using Login Hint
If you do not have SID claim configured or need to bypass the account selection prompt on interactive auth calls, you can do so by providing a login_hint and optionally a domain_hint as extraQueryParameters in the MSAL.js interactive methods (loginPopup, loginRedirect, acquireTokenPopup and acquireTokenRedirect). For example:
userAgentApplication.loginRedirect(scopes, "&login_hint=<preferred_username>&domain_hint=organizations");
You can get the values for login_hint and domain_hint by reading the claims returned in the ID token for the user.
login_hint should be set to the preferred_username claim in the ID token.
我们有一堆单页应用程序并像 appA.xyz-corp.com 和 appB.xyz-corp.com 一样部署它们。我们如何配置 Msal javascript 以便用户不必登录每个应用程序。我们已经尝试了这里提到的方法 https://github.com/AzureAD/microsoft-authentication-library-for-js/wiki/Sso 。但是,会话存储按域 "appA.xyz-corp.com" 存储信息,而不是使用子域 "xyz.com"。对于使用 msal.js 的多个单页应用程序和用户跨应用程序无缝登录的最佳实践,我们将不胜感激。
wiki you mentioned 也有一些关于这种多域场景的信息。本质上,您需要捕获首选用户名并将其与登录请求一起发送。要同时捕获所有应用程序的用户名,我建议将其存储在所有应用程序都知道的域范围 cookie 中。
// Store the username after login
document.cookie = "msal_username=Paul@xyz-corp.com;domain=.xyz-corp.com;path=/"
// use the username
var username = getCookieByName("msal_username"); // find some code to do that
userAgentApplication.loginRedirect(scopes, "&login_hint=" + username);
这样做的缺点是您需要在 所有 您的应用程序中实现它。
Applications on different domain
When applications are hosted on different domains, the tokens cached on domain A cannot be accessed by MSAL.js in domain B.
Automatically select account on Azure AD
...
Using Login Hint
If you do not have SID claim configured or need to bypass the account selection prompt on interactive auth calls, you can do so by providing a login_hint and optionally a domain_hint as extraQueryParameters in the MSAL.js interactive methods (loginPopup, loginRedirect, acquireTokenPopup and acquireTokenRedirect). For example:
userAgentApplication.loginRedirect(scopes, "&login_hint=<preferred_username>&domain_hint=organizations");You can get the values for login_hint and domain_hint by reading the claims returned in the ID token for the user.
login_hint should be set to the preferred_username claim in the ID token.