El inicio de sesión único (SSO) es un método de autenticación que permite a los usuarios iniciar sesión en una aplicación y, a continuación, acceder a varias aplicaciones sin necesidad de volver a iniciar sesión. Microsoft Entra admite varios métodos de SSO, como OpenID Connect, OAuth, Lenguaje de marcado de aserción de seguridad (SAML), sso vinculado y basado en contraseñas. Con Microsoft Graph, puede automatizar la configuración del inicio de sesión único para la aplicación.
En este tutorial, aprenderá a:
- Identificación de aplicaciones basadas en SAML en la galería de Microsoft Entra y configuración del inicio de sesión único basado en SAML para una aplicación
- Agregar roles de aplicación a una aplicación y concederlos a los usuarios
- Configuración de notificaciones para emitir en el token saml
- Configuración de un certificado para el inicio de sesión único federado
- Recuperar los metadatos Microsoft Entra ID SAML de la aplicación que se usan para completar la integración
Requisitos previos
En este tutorial se configura el inicio de sesión único para AWS IAM Identity Center. Sin embargo, la mayoría de los pasos de Microsoft Graph se aplican a cualquier otra aplicación que quiera configurar el inicio de sesión único.
- Inicie sesión en un cliente de API, como Graph Explorer, con los privilegios para crear instancias de aplicaciones desde la galería de aplicaciones de Microsoft Entra, configurar roles de aplicación y directivas en las aplicaciones.
Administrador de aplicaciones en la nube en el rol integrado con privilegios mínimos Microsoft Entra con estos permisos.
- Concédese los siguientes permisos delegados:
Application.ReadWrite.All, AppRoleAssignment.ReadWrite.All, Policy.Read.All, Policy.ReadWrite.ApplicationConfigurationy User.ReadWrite.All.
- Hacer que un usuario de prueba se asigne a la aplicación. Más adelante en este tutorial creará un usuario coincidente en AWS IAM Identity Center.
Para crear una aplicación que admita el inicio de sesión único, regístrela a través de la galería de aplicaciones de Microsoft Entra. La galería de aplicaciones de Microsoft Entra es un catálogo de miles de aplicaciones preintegradas que simplifican la implementación y configuración del inicio de sesión único y el aprovisionamiento automatizado de usuarios. En Microsoft Graph, esta lista está disponible a través de la entidad applicationTemplate .
En este paso, identificará la plantilla de aplicación para la AWS IAM Identity Center (successor to AWS Single Sign-On) aplicación que desea configurar. Registre su identificador.
Solicitud
GET https://graph.microsoft.com/v1.0/applicationTemplates?$filter=displayName eq 'AWS IAM Identity Center (successor to AWS Single Sign-On)'
// Code snippets are only available for the latest version. Current version is 5.x
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.ApplicationTemplates.GetAsync((requestConfiguration) =>
{
requestConfiguration.QueryParameters.Filter = "displayName eq 'AWS IAM Identity Center (successor to AWS Single Sign-On)'";
});
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
// Code snippets are only available for the latest major version. Current major version is $v1.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
graphapplicationtemplates "github.com/microsoftgraph/msgraph-sdk-go/applicationtemplates"
//other-imports
)
requestFilter := "displayName eq 'AWS IAM Identity Center (successor to AWS Single Sign-On)'"
requestParameters := &graphapplicationtemplates.ApplicationTemplatesRequestBuilderGetQueryParameters{
Filter: &requestFilter,
}
configuration := &graphapplicationtemplates.ApplicationTemplatesRequestBuilderGetRequestConfiguration{
QueryParameters: requestParameters,
}
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
applicationTemplates, err := graphClient.ApplicationTemplates().Get(context.Background(), configuration)
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
ApplicationTemplateCollectionResponse result = graphClient.applicationTemplates().get(requestConfiguration -> {
requestConfiguration.queryParameters.filter = "displayName eq 'AWS IAM Identity Center (successor to AWS Single Sign-On)'";
});
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
const options = {
authProvider,
};
const client = Client.init(options);
let applicationTemplates = await client.api('/applicationTemplates')
.filter('displayName eq \'AWS IAM Identity Center (successor to AWS Single Sign-On)\'')
.get();
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\ApplicationTemplates\ApplicationTemplatesRequestBuilderGetRequestConfiguration;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestConfiguration = new ApplicationTemplatesRequestBuilderGetRequestConfiguration();
$queryParameters = ApplicationTemplatesRequestBuilderGetRequestConfiguration::createQueryParameters();
$queryParameters->filter = "displayName eq 'AWS IAM Identity Center (successor to AWS Single Sign-On)'";
$requestConfiguration->queryParameters = $queryParameters;
$result = $graphServiceClient->applicationTemplates()->get($requestConfiguration)->wait();
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.application_templates.application_templates_request_builder import ApplicationTemplatesRequestBuilder
from kiota_abstractions.base_request_configuration import RequestConfiguration
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
query_params = ApplicationTemplatesRequestBuilder.ApplicationTemplatesRequestBuilderGetQueryParameters(
filter = "displayName eq 'AWS IAM Identity Center (successor to AWS Single Sign-On)'",
)
request_configuration = RequestConfiguration(
query_parameters = query_params,
)
result = await graph_client.application_templates.get(request_configuration = request_configuration)
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
Respuesta
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#applicationTemplates",
"@microsoft.graph.tips": "Use $select to choose only the properties your app needs, as this can lead to performance improvements. For example: GET applicationTemplates?$select=categories,description",
"value": [
{
"id": "21ed01d2-ec13-4e9e-86c1-cd546719ebc4",
"displayName": "AWS IAM Identity Center (successor to AWS Single Sign-On)",
"homePageUrl": "https://aws.amazon.com/",
"supportedSingleSignOnModes": [
"saml",
"external"
],
"supportedProvisioningTypes": [
"sync"
],
"logoUrl": "https://galleryapplogos1.azureedge.net/app-logo/awssinglesignon_FC86917E_215.png",
"categories": [
"developerServices",
"itInfrastructure",
"security",
"New"
],
"publisher": "Amazon Web Services, Inc.",
"description": "Federate once to AWS IAM Identity Center (successor to AWS Single Sign-On) & use it to centrally manage access to multiple AWS accounts and IAM Identity Center enabled apps. Provision users via SCIM."
}
]
}
Paso 2: Crear una instancia de la aplicación
Con el valor id de la plantilla de aplicación, cree una instancia de la aplicación en el inquilino. Aquí, asigne a la aplicación el nombre AWS Contoso. La respuesta incluye un objeto de aplicación y entidad de servicio para AWS Contoso, que es una instancia de la aplicación AWS IAM Identity Center (sucesora del inicio de sesión único de AWS). Registre los identificadores de los objetos de aplicación y entidad de servicio creados para usarlos más adelante en este tutorial.
Solicitud
POST https://graph.microsoft.com/v1.0/applicationTemplates/21ed01d2-ec13-4e9e-86c1-cd546719ebc4/instantiate
Content-type: application/json
{
"displayName": "AWS Contoso"
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.ApplicationTemplates.Item.Instantiate;
var requestBody = new InstantiatePostRequestBody
{
DisplayName = "AWS Contoso",
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.ApplicationTemplates["{applicationTemplate-id}"].Instantiate.PostAsync(requestBody);
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
// Code snippets are only available for the latest major version. Current major version is $v1.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
graphapplicationtemplates "github.com/microsoftgraph/msgraph-sdk-go/applicationtemplates"
//other-imports
)
requestBody := graphapplicationtemplates.NewInstantiatePostRequestBody()
displayName := "AWS Contoso"
requestBody.SetDisplayName(&displayName)
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
instantiate, err := graphClient.ApplicationTemplates().ByApplicationTemplateId("applicationTemplate-id").Instantiate().Post(context.Background(), requestBody, nil)
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
com.microsoft.graph.applicationtemplates.item.instantiate.InstantiatePostRequestBody instantiatePostRequestBody = new com.microsoft.graph.applicationtemplates.item.instantiate.InstantiatePostRequestBody();
instantiatePostRequestBody.setDisplayName("AWS Contoso");
var result = graphClient.applicationTemplates().byApplicationTemplateId("{applicationTemplate-id}").instantiate().post(instantiatePostRequestBody);
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
const options = {
authProvider,
};
const client = Client.init(options);
const applicationServicePrincipal = {
displayName: 'AWS Contoso'
};
await client.api('/applicationTemplates/21ed01d2-ec13-4e9e-86c1-cd546719ebc4/instantiate')
.post(applicationServicePrincipal);
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\ApplicationTemplates\Item\Instantiate\InstantiatePostRequestBody;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new InstantiatePostRequestBody();
$requestBody->setDisplayName('AWS Contoso');
$result = $graphServiceClient->applicationTemplates()->byApplicationTemplateId('applicationTemplate-id')->instantiate()->post($requestBody)->wait();
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.applicationtemplates.item.instantiate.instantiate_post_request_body import InstantiatePostRequestBody
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = InstantiatePostRequestBody(
display_name = "AWS Contoso",
)
result = await graph_client.application_templates.by_application_template_id('applicationTemplate-id').instantiate.post(request_body)
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
Respuesta
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#microsoft.graph.applicationServicePrincipal",
"application": {
"id": "b7308000-8bb3-467b-bfc7-8dbbfd759ad9",
"appId": "2fbc8259-0f56-4f56-9870-93a228020936",
"applicationTemplateId": "21ed01d2-ec13-4e9e-86c1-cd546719ebc4",
"createdDateTime": "2024-02-21T17:14:33Z",
"deletedDateTime": null,
"displayName": "AWS Contoso",
"description": null,
"groupMembershipClaims": null,
"identifierUris": [],
"isFallbackPublicClient": false,
"signInAudience": "AzureADMyOrg",
"tags": [],
"tokenEncryptionKeyId": null,
"defaultRedirectUri": null,
"samlMetadataUrl": null,
"optionalClaims": null,
"addIns": [],
"api": {
"acceptMappedClaims": null,
"knownClientApplications": [],
"requestedAccessTokenVersion": null,
"oauth2PermissionScopes": [
{
"adminConsentDescription": "Allow the application to access AWS Contoso on behalf of the signed-in user.",
"adminConsentDisplayName": "Access AWS Contoso",
"id": "f5419931-094d-481d-b801-ab3ed60d48d8",
"isEnabled": true,
"type": "User",
"userConsentDescription": "Allow the application to access AWS Contoso on your behalf.",
"userConsentDisplayName": "Access AWS Contoso",
"value": "user_impersonation"
}
],
"preAuthorizedApplications": []
},
"appRoles": [
{
"allowedMemberTypes": [
"User"
],
"displayName": "User",
"id": "8774f594-1d59-4279-b9d9-59ef09a23530",
"isEnabled": true,
"description": "User",
"value": null,
"origin": "Application"
},
{
"allowedMemberTypes": [
"User"
],
"displayName": "msiam_access",
"id": "e7f1a7f3-9eda-48e0-9963-bd67bf531afd",
"isEnabled": true,
"description": "msiam_access",
"value": null,
"origin": "Application"
}
],
"info": {
"logoUrl": null,
"marketingUrl": null,
"privacyStatementUrl": null,
"supportUrl": null,
"termsOfServiceUrl": null
},
"keyCredentials": [],
"parentalControlSettings": {
"countriesBlockedForMinors": [],
"legalAgeGroupRule": "Allow"
},
"passwordCredentials": [],
"publicClient": {
"redirectUris": []
},
"requiredResourceAccess": [],
"verifiedPublisher": {
"displayName": null,
"verifiedPublisherId": null,
"addedDateTime": null
},
"web": {
"homePageUrl": "https://*.signin.aws.amazon.com/platform/saml/acs/*?metadata=awssinglesignon|ISV9.1|primary|z",
"redirectUris": [
"https://*.signin.aws.amazon.com/platform/saml/acs/*"
],
"logoutUrl": null
}
},
"servicePrincipal": {
"id": "d3616293-fff8-4415-9f01-33b05dad1b46",
"deletedDateTime": null,
"accountEnabled": true,
"appId": "2fbc8259-0f56-4f56-9870-93a228020936",
"applicationTemplateId": "21ed01d2-ec13-4e9e-86c1-cd546719ebc4",
"appDisplayName": "AWS Contoso",
"alternativeNames": [],
"appOwnerOrganizationId": "38d49456-54d4-455d-a8d6-c383c71e0a6d",
"displayName": "AWS Contoso",
"appRoleAssignmentRequired": true,
"loginUrl": null,
"logoutUrl": null,
"homepage": "https://*.signin.aws.amazon.com/platform/saml/acs/*?metadata=awssinglesignon|ISV9.1|primary|z",
"notificationEmailAddresses": [],
"preferredSingleSignOnMode": null,
"preferredTokenSigningKeyThumbprint": null,
"replyUrls": [],
"servicePrincipalNames": [
"2fbc8259-0f56-4f56-9870-93a228020936"
],
"servicePrincipalType": "Application",
"tags": [
"WindowsAzureActiveDirectoryIntegratedApp"
],
"tokenEncryptionKeyId": null,
"samlSingleSignOnSettings": null,
"addIns": [],
"appRoles": [
{
"allowedMemberTypes": [
"User"
],
"displayName": "User",
"id": "8774f594-1d59-4279-b9d9-59ef09a23530",
"isEnabled": true,
"description": "User",
"value": null,
"origin": "Application"
},
{
"allowedMemberTypes": [
"User"
],
"displayName": "msiam_access",
"id": "e7f1a7f3-9eda-48e0-9963-bd67bf531afd",
"isEnabled": true,
"description": "msiam_access",
"value": null,
"origin": "Application"
}
],
"info": {
"logoUrl": null,
"marketingUrl": null,
"privacyStatementUrl": null,
"supportUrl": null,
"termsOfServiceUrl": null
},
"keyCredentials": [],
"oauth2PermissionScopes": [
{
"adminConsentDescription": "Allow the application to access AWS Contoso on behalf of the signed-in user.",
"adminConsentDisplayName": "Access AWS Contoso",
"id": "f5419931-094d-481d-b801-ab3ed60d48d8",
"isEnabled": true,
"type": "User",
"userConsentDescription": "Allow the application to access AWS Contoso on your behalf.",
"userConsentDisplayName": "Access AWS Contoso",
"value": "user_impersonation"
}
],
"passwordCredentials": [],
"verifiedPublisher": {
"displayName": null,
"verifiedPublisherId": null,
"addedDateTime": null
}
}
}
En este paso, configurará el inicio de sesión único para AWS Contoso. Para la aplicación, configure las direcciones URL de SAML mientras que para la entidad de servicio, establezca el modo sso en saml.
Paso 3.1: Establecer el modo de inicio de sesión único para la entidad de servicio
Establézcalo saml como modo sso para la entidad de servicio de AWS Contoso. La solicitud devuelve un código de respuesta 204 No Content.
PATCH https://graph.microsoft.com/v1.0/servicePrincipals/d3616293-fff8-4415-9f01-33b05dad1b46
Content-type: application/json
{
"preferredSingleSignOnMode": "saml"
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Models;
var requestBody = new ServicePrincipal
{
PreferredSingleSignOnMode = "saml",
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.ServicePrincipals["{servicePrincipal-id}"].PatchAsync(requestBody);
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
// Code snippets are only available for the latest major version. Current major version is $v1.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-sdk-go/models"
//other-imports
)
requestBody := graphmodels.NewServicePrincipal()
preferredSingleSignOnMode := "saml"
requestBody.SetPreferredSingleSignOnMode(&preferredSingleSignOnMode)
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
servicePrincipals, err := graphClient.ServicePrincipals().ByServicePrincipalId("servicePrincipal-id").Patch(context.Background(), requestBody, nil)
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
ServicePrincipal servicePrincipal = new ServicePrincipal();
servicePrincipal.setPreferredSingleSignOnMode("saml");
ServicePrincipal result = graphClient.servicePrincipals().byServicePrincipalId("{servicePrincipal-id}").patch(servicePrincipal);
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
const options = {
authProvider,
};
const client = Client.init(options);
const servicePrincipal = {
preferredSingleSignOnMode: 'saml'
};
await client.api('/servicePrincipals/d3616293-fff8-4415-9f01-33b05dad1b46')
.update(servicePrincipal);
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\ServicePrincipal;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new ServicePrincipal();
$requestBody->setPreferredSingleSignOnMode('saml');
$result = $graphServiceClient->servicePrincipals()->byServicePrincipalId('servicePrincipal-id')->patch($requestBody)->wait();
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.service_principal import ServicePrincipal
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = ServicePrincipal(
preferred_single_sign_on_mode = "saml",
)
result = await graph_client.service_principals.by_service_principal_id('servicePrincipal-id').patch(request_body)
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
Paso 3.2: Establecimiento de direcciones URL básicas de SAML para la aplicación
EstablezcaredirectUrisweb/ yredirectUrisweb/ para la aplicación AWS Contoso. La solicitud devuelve un código de respuesta 204 No Content.
PATCH https://graph.microsoft.com/v1.0/applications/b7308000-8bb3-467b-bfc7-8dbbfd759ad9
Content-type: application/json
{
"identifierUris": [
"https://signin.aws.amazon.com/saml"
],
"web": {
"redirectUris": [
"https://signin.aws.amazon.com/saml"
]
}
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Models;
var requestBody = new Application
{
IdentifierUris = new List<string>
{
"https://signin.aws.amazon.com/saml",
},
Web = new WebApplication
{
RedirectUris = new List<string>
{
"https://signin.aws.amazon.com/saml",
},
},
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Applications["{application-id}"].PatchAsync(requestBody);
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
// Code snippets are only available for the latest major version. Current major version is $v1.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-sdk-go/models"
//other-imports
)
requestBody := graphmodels.NewApplication()
identifierUris := []string {
"https://signin.aws.amazon.com/saml",
}
requestBody.SetIdentifierUris(identifierUris)
web := graphmodels.NewWebApplication()
redirectUris := []string {
"https://signin.aws.amazon.com/saml",
}
web.SetRedirectUris(redirectUris)
requestBody.SetWeb(web)
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
applications, err := graphClient.Applications().ByApplicationId("application-id").Patch(context.Background(), requestBody, nil)
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
Application application = new Application();
LinkedList<String> identifierUris = new LinkedList<String>();
identifierUris.add("https://signin.aws.amazon.com/saml");
application.setIdentifierUris(identifierUris);
WebApplication web = new WebApplication();
LinkedList<String> redirectUris = new LinkedList<String>();
redirectUris.add("https://signin.aws.amazon.com/saml");
web.setRedirectUris(redirectUris);
application.setWeb(web);
Application result = graphClient.applications().byApplicationId("{application-id}").patch(application);
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
const options = {
authProvider,
};
const client = Client.init(options);
const application = {
identifierUris: [
'https://signin.aws.amazon.com/saml'
],
web: {
redirectUris: [
'https://signin.aws.amazon.com/saml'
]
}
};
await client.api('/applications/b7308000-8bb3-467b-bfc7-8dbbfd759ad9')
.update(application);
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\Application;
use Microsoft\Graph\Generated\Models\WebApplication;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new Application();
$requestBody->setIdentifierUris(['https://signin.aws.amazon.com/saml', ]);
$web = new WebApplication();
$web->setRedirectUris(['https://signin.aws.amazon.com/saml', ]);
$requestBody->setWeb($web);
$result = $graphServiceClient->applications()->byApplicationId('application-id')->patch($requestBody)->wait();
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
Import-Module Microsoft.Graph.Applications
$params = @{
identifierUris = @(
"https://signin.aws.amazon.com/saml"
)
web = @{
redirectUris = @(
"https://signin.aws.amazon.com/saml"
)
}
}
Update-MgApplication -ApplicationId $applicationId -BodyParameter $params
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.application import Application
from msgraph.generated.models.web_application import WebApplication
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = Application(
identifier_uris = [
"https://signin.aws.amazon.com/saml",
],
web = WebApplication(
redirect_uris = [
"https://signin.aws.amazon.com/saml",
],
),
)
result = await graph_client.applications.by_application_id('application-id').patch(request_body)
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
Paso 4: Agregar roles de aplicación
Si la aplicación requiere la información del rol en el token, agregue la definición de los roles en la propiedad appRoles . Se ha creado una instancia de AWS Contoso con los roles y msiam_access predeterminadosUser: no los modifique ni los quite. Para agregar más roles, incluya los roles existentes y los nuevos roles en el objeto appRoles en la solicitud; de lo contrario, se reemplazan los roles existentes.
En este paso, agregue los Finance,WAAD roles y Admin,WAAD a la entidad de servicio de AWS Contoso. La solicitud devuelve un código de respuesta 204 No Content.
PATCH https://graph.microsoft.com/v1.0/servicePrincipals/d3616293-fff8-4415-9f01-33b05dad1b46
Content-type: application/json
{
"appRoles": [
{
"allowedMemberTypes": [
"User"
],
"description": "User",
"displayName": "User",
"id": "8774f594-1d59-4279-b9d9-59ef09a23530",
"isEnabled": true,
"origin": "Application",
"value": null
},
{
"allowedMemberTypes": [
"User"
],
"description": "msiam_access",
"displayName": "msiam_access",
"id": "e7f1a7f3-9eda-48e0-9963-bd67bf531afd",
"isEnabled": true,
"origin": "Application",
"value": null
},
{
"allowedMemberTypes": [
"User"
],
"description": "Admin,WAAD",
"displayName": "Admin,WAAD",
"id": "3a84e31e-bffa-470f-b9e6-754a61e4dc63",
"isEnabled": true,
"value": "arn:aws:iam::212743507312:role/accountname-aws-admin,arn:aws:iam::212743507312:saml-provider/WAAD"
},
{
"allowedMemberTypes": [
"User"
],
"description": "Finance,WAAD",
"displayName": "Finance,WAAD",
"id": "7a960000-ded3-455b-8c04-4f2ace00319b",
"isEnabled": true,
"value": "arn:aws:iam::212743507312:role/accountname-aws-finance,arn:aws:iam::212743507312:saml-provider/WAAD"
}
]
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Models;
var requestBody = new ServicePrincipal
{
AppRoles = new List<AppRole>
{
new AppRole
{
AllowedMemberTypes = new List<string>
{
"User",
},
Description = "User",
DisplayName = "User",
Id = Guid.Parse("8774f594-1d59-4279-b9d9-59ef09a23530"),
IsEnabled = true,
Origin = "Application",
Value = null,
},
new AppRole
{
AllowedMemberTypes = new List<string>
{
"User",
},
Description = "msiam_access",
DisplayName = "msiam_access",
Id = Guid.Parse("e7f1a7f3-9eda-48e0-9963-bd67bf531afd"),
IsEnabled = true,
Origin = "Application",
Value = null,
},
new AppRole
{
AllowedMemberTypes = new List<string>
{
"User",
},
Description = "Admin,WAAD",
DisplayName = "Admin,WAAD",
Id = Guid.Parse("3a84e31e-bffa-470f-b9e6-754a61e4dc63"),
IsEnabled = true,
Value = "arn:aws:iam::212743507312:role/accountname-aws-admin,arn:aws:iam::212743507312:saml-provider/WAAD",
},
new AppRole
{
AllowedMemberTypes = new List<string>
{
"User",
},
Description = "Finance,WAAD",
DisplayName = "Finance,WAAD",
Id = Guid.Parse("7a960000-ded3-455b-8c04-4f2ace00319b"),
IsEnabled = true,
Value = "arn:aws:iam::212743507312:role/accountname-aws-finance,arn:aws:iam::212743507312:saml-provider/WAAD",
},
},
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.ServicePrincipals["{servicePrincipal-id}"].PatchAsync(requestBody);
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
mgc service-principals patch --service-principal-id {servicePrincipal-id} --body '{\
"appRoles": [\
{\
"allowedMemberTypes": [\
"User"\
],\
"description": "User",\
"displayName": "User",\
"id": "8774f594-1d59-4279-b9d9-59ef09a23530",\
"isEnabled": true,\
"origin": "Application",\
"value": null\
},\
{\
"allowedMemberTypes": [\
"User"\
],\
"description": "msiam_access",\
"displayName": "msiam_access",\
"id": "e7f1a7f3-9eda-48e0-9963-bd67bf531afd",\
"isEnabled": true,\
"origin": "Application",\
"value": null\
},\
{\
"allowedMemberTypes": [\
"User"\
],\
"description": "Admin,WAAD",\
"displayName": "Admin,WAAD",\
"id": "3a84e31e-bffa-470f-b9e6-754a61e4dc63",\
"isEnabled": true,\
"value": "arn:aws:iam::212743507312:role/accountname-aws-admin,arn:aws:iam::212743507312:saml-provider/WAAD"\
},\
{\
"allowedMemberTypes": [\
"User"\
],\
"description": "Finance,WAAD",\
"displayName": "Finance,WAAD",\
"id": "7a960000-ded3-455b-8c04-4f2ace00319b",\
"isEnabled": true,\
"value": "arn:aws:iam::212743507312:role/accountname-aws-finance,arn:aws:iam::212743507312:saml-provider/WAAD"\
}\
]\
}\
'
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
// Code snippets are only available for the latest major version. Current major version is $v1.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-sdk-go/models"
//other-imports
)
requestBody := graphmodels.NewServicePrincipal()
appRole := graphmodels.NewAppRole()
allowedMemberTypes := []string {
"User",
}
appRole.SetAllowedMemberTypes(allowedMemberTypes)
description := "User"
appRole.SetDescription(&description)
displayName := "User"
appRole.SetDisplayName(&displayName)
id := uuid.MustParse("8774f594-1d59-4279-b9d9-59ef09a23530")
appRole.SetId(&id)
isEnabled := true
appRole.SetIsEnabled(&isEnabled)
origin := "Application"
appRole.SetOrigin(&origin)
value := null
appRole.SetValue(&value)
appRole1 := graphmodels.NewAppRole()
allowedMemberTypes := []string {
"User",
}
appRole1.SetAllowedMemberTypes(allowedMemberTypes)
description := "msiam_access"
appRole1.SetDescription(&description)
displayName := "msiam_access"
appRole1.SetDisplayName(&displayName)
id := uuid.MustParse("e7f1a7f3-9eda-48e0-9963-bd67bf531afd")
appRole1.SetId(&id)
isEnabled := true
appRole1.SetIsEnabled(&isEnabled)
origin := "Application"
appRole1.SetOrigin(&origin)
value := null
appRole1.SetValue(&value)
appRole2 := graphmodels.NewAppRole()
allowedMemberTypes := []string {
"User",
}
appRole2.SetAllowedMemberTypes(allowedMemberTypes)
description := "Admin,WAAD"
appRole2.SetDescription(&description)
displayName := "Admin,WAAD"
appRole2.SetDisplayName(&displayName)
id := uuid.MustParse("3a84e31e-bffa-470f-b9e6-754a61e4dc63")
appRole2.SetId(&id)
isEnabled := true
appRole2.SetIsEnabled(&isEnabled)
value := "arn:aws:iam::212743507312:role/accountname-aws-admin,arn:aws:iam::212743507312:saml-provider/WAAD"
appRole2.SetValue(&value)
appRole3 := graphmodels.NewAppRole()
allowedMemberTypes := []string {
"User",
}
appRole3.SetAllowedMemberTypes(allowedMemberTypes)
description := "Finance,WAAD"
appRole3.SetDescription(&description)
displayName := "Finance,WAAD"
appRole3.SetDisplayName(&displayName)
id := uuid.MustParse("7a960000-ded3-455b-8c04-4f2ace00319b")
appRole3.SetId(&id)
isEnabled := true
appRole3.SetIsEnabled(&isEnabled)
value := "arn:aws:iam::212743507312:role/accountname-aws-finance,arn:aws:iam::212743507312:saml-provider/WAAD"
appRole3.SetValue(&value)
appRoles := []graphmodels.AppRoleable {
appRole,
appRole1,
appRole2,
appRole3,
}
requestBody.SetAppRoles(appRoles)
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
servicePrincipals, err := graphClient.ServicePrincipals().ByServicePrincipalId("servicePrincipal-id").Patch(context.Background(), requestBody, nil)
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
ServicePrincipal servicePrincipal = new ServicePrincipal();
LinkedList<AppRole> appRoles = new LinkedList<AppRole>();
AppRole appRole = new AppRole();
LinkedList<String> allowedMemberTypes = new LinkedList<String>();
allowedMemberTypes.add("User");
appRole.setAllowedMemberTypes(allowedMemberTypes);
appRole.setDescription("User");
appRole.setDisplayName("User");
appRole.setId(UUID.fromString("8774f594-1d59-4279-b9d9-59ef09a23530"));
appRole.setIsEnabled(true);
appRole.setOrigin("Application");
appRole.setValue(null);
appRoles.add(appRole);
AppRole appRole1 = new AppRole();
LinkedList<String> allowedMemberTypes1 = new LinkedList<String>();
allowedMemberTypes1.add("User");
appRole1.setAllowedMemberTypes(allowedMemberTypes1);
appRole1.setDescription("msiam_access");
appRole1.setDisplayName("msiam_access");
appRole1.setId(UUID.fromString("e7f1a7f3-9eda-48e0-9963-bd67bf531afd"));
appRole1.setIsEnabled(true);
appRole1.setOrigin("Application");
appRole1.setValue(null);
appRoles.add(appRole1);
AppRole appRole2 = new AppRole();
LinkedList<String> allowedMemberTypes2 = new LinkedList<String>();
allowedMemberTypes2.add("User");
appRole2.setAllowedMemberTypes(allowedMemberTypes2);
appRole2.setDescription("Admin,WAAD");
appRole2.setDisplayName("Admin,WAAD");
appRole2.setId(UUID.fromString("3a84e31e-bffa-470f-b9e6-754a61e4dc63"));
appRole2.setIsEnabled(true);
appRole2.setValue("arn:aws:iam::212743507312:role/accountname-aws-admin,arn:aws:iam::212743507312:saml-provider/WAAD");
appRoles.add(appRole2);
AppRole appRole3 = new AppRole();
LinkedList<String> allowedMemberTypes3 = new LinkedList<String>();
allowedMemberTypes3.add("User");
appRole3.setAllowedMemberTypes(allowedMemberTypes3);
appRole3.setDescription("Finance,WAAD");
appRole3.setDisplayName("Finance,WAAD");
appRole3.setId(UUID.fromString("7a960000-ded3-455b-8c04-4f2ace00319b"));
appRole3.setIsEnabled(true);
appRole3.setValue("arn:aws:iam::212743507312:role/accountname-aws-finance,arn:aws:iam::212743507312:saml-provider/WAAD");
appRoles.add(appRole3);
servicePrincipal.setAppRoles(appRoles);
ServicePrincipal result = graphClient.servicePrincipals().byServicePrincipalId("{servicePrincipal-id}").patch(servicePrincipal);
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
const options = {
authProvider,
};
const client = Client.init(options);
const servicePrincipal = {
appRoles: [
{
allowedMemberTypes: [
'User'
],
description: 'User',
displayName: 'User',
id: '8774f594-1d59-4279-b9d9-59ef09a23530',
isEnabled: true,
origin: 'Application',
value: null
},
{
allowedMemberTypes: [
'User'
],
description: 'msiam_access',
displayName: 'msiam_access',
id: 'e7f1a7f3-9eda-48e0-9963-bd67bf531afd',
isEnabled: true,
origin: 'Application',
value: null
},
{
allowedMemberTypes: [
'User'
],
description: 'Admin,WAAD',
displayName: 'Admin,WAAD',
id: '3a84e31e-bffa-470f-b9e6-754a61e4dc63',
isEnabled: true,
value: 'arn:aws:iam::212743507312:role/accountname-aws-admin,arn:aws:iam::212743507312:saml-provider/WAAD'
},
{
allowedMemberTypes: [
'User'
],
description: 'Finance,WAAD',
displayName: 'Finance,WAAD',
id: '7a960000-ded3-455b-8c04-4f2ace00319b',
isEnabled: true,
value: 'arn:aws:iam::212743507312:role/accountname-aws-finance,arn:aws:iam::212743507312:saml-provider/WAAD'
}
]
};
await client.api('/servicePrincipals/d3616293-fff8-4415-9f01-33b05dad1b46')
.update(servicePrincipal);
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\ServicePrincipal;
use Microsoft\Graph\Generated\Models\AppRole;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new ServicePrincipal();
$appRolesAppRole1 = new AppRole();
$appRolesAppRole1->setAllowedMemberTypes(['User', ]);
$appRolesAppRole1->setDescription('User');
$appRolesAppRole1->setDisplayName('User');
$appRolesAppRole1->setId('8774f594-1d59-4279-b9d9-59ef09a23530');
$appRolesAppRole1->setIsEnabled(true);
$appRolesAppRole1->setOrigin('Application');
$appRolesAppRole1->setValue(null);
$appRolesArray []= $appRolesAppRole1;
$appRolesAppRole2 = new AppRole();
$appRolesAppRole2->setAllowedMemberTypes(['User', ]);
$appRolesAppRole2->setDescription('msiam_access');
$appRolesAppRole2->setDisplayName('msiam_access');
$appRolesAppRole2->setId('e7f1a7f3-9eda-48e0-9963-bd67bf531afd');
$appRolesAppRole2->setIsEnabled(true);
$appRolesAppRole2->setOrigin('Application');
$appRolesAppRole2->setValue(null);
$appRolesArray []= $appRolesAppRole2;
$appRolesAppRole3 = new AppRole();
$appRolesAppRole3->setAllowedMemberTypes(['User', ]);
$appRolesAppRole3->setDescription('Admin,WAAD');
$appRolesAppRole3->setDisplayName('Admin,WAAD');
$appRolesAppRole3->setId('3a84e31e-bffa-470f-b9e6-754a61e4dc63');
$appRolesAppRole3->setIsEnabled(true);
$appRolesAppRole3->setValue('arn:aws:iam::212743507312:role/accountname-aws-admin,arn:aws:iam::212743507312:saml-provider/WAAD');
$appRolesArray []= $appRolesAppRole3;
$appRolesAppRole4 = new AppRole();
$appRolesAppRole4->setAllowedMemberTypes(['User', ]);
$appRolesAppRole4->setDescription('Finance,WAAD');
$appRolesAppRole4->setDisplayName('Finance,WAAD');
$appRolesAppRole4->setId('7a960000-ded3-455b-8c04-4f2ace00319b');
$appRolesAppRole4->setIsEnabled(true);
$appRolesAppRole4->setValue('arn:aws:iam::212743507312:role/accountname-aws-finance,arn:aws:iam::212743507312:saml-provider/WAAD');
$appRolesArray []= $appRolesAppRole4;
$requestBody->setAppRoles($appRolesArray);
$result = $graphServiceClient->servicePrincipals()->byServicePrincipalId('servicePrincipal-id')->patch($requestBody)->wait();
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
Import-Module Microsoft.Graph.Applications
$params = @{
appRoles = @(
@{
allowedMemberTypes = @(
"User"
)
description = "User"
displayName = "User"
id = "8774f594-1d59-4279-b9d9-59ef09a23530"
isEnabled = $true
origin = "Application"
value = $null
}
@{
allowedMemberTypes = @(
"User"
)
description = "msiam_access"
displayName = "msiam_access"
id = "e7f1a7f3-9eda-48e0-9963-bd67bf531afd"
isEnabled = $true
origin = "Application"
value = $null
}
@{
allowedMemberTypes = @(
"User"
)
description = "Admin,WAAD"
displayName = "Admin,WAAD"
id = "3a84e31e-bffa-470f-b9e6-754a61e4dc63"
isEnabled = $true
value = "arn:aws:iam::212743507312:role/accountname-aws-admin,arn:aws:iam::212743507312:saml-provider/WAAD"
}
@{
allowedMemberTypes = @(
"User"
)
description = "Finance,WAAD"
displayName = "Finance,WAAD"
id = "7a960000-ded3-455b-8c04-4f2ace00319b"
isEnabled = $true
value = "arn:aws:iam::212743507312:role/accountname-aws-finance,arn:aws:iam::212743507312:saml-provider/WAAD"
}
)
}
Update-MgServicePrincipal -ServicePrincipalId $servicePrincipalId -BodyParameter $params
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.service_principal import ServicePrincipal
from msgraph.generated.models.app_role import AppRole
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = ServicePrincipal(
app_roles = [
AppRole(
allowed_member_types = [
"User",
],
description = "User",
display_name = "User",
id = UUID("8774f594-1d59-4279-b9d9-59ef09a23530"),
is_enabled = True,
origin = "Application",
value = None,
),
AppRole(
allowed_member_types = [
"User",
],
description = "msiam_access",
display_name = "msiam_access",
id = UUID("e7f1a7f3-9eda-48e0-9963-bd67bf531afd"),
is_enabled = True,
origin = "Application",
value = None,
),
AppRole(
allowed_member_types = [
"User",
],
description = "Admin,WAAD",
display_name = "Admin,WAAD",
id = UUID("3a84e31e-bffa-470f-b9e6-754a61e4dc63"),
is_enabled = True,
value = "arn:aws:iam::212743507312:role/accountname-aws-admin,arn:aws:iam::212743507312:saml-provider/WAAD",
),
AppRole(
allowed_member_types = [
"User",
],
description = "Finance,WAAD",
display_name = "Finance,WAAD",
id = UUID("7a960000-ded3-455b-8c04-4f2ace00319b"),
is_enabled = True,
value = "arn:aws:iam::212743507312:role/accountname-aws-finance,arn:aws:iam::212743507312:saml-provider/WAAD",
),
],
)
result = await graph_client.service_principals.by_service_principal_id('servicePrincipal-id').patch(request_body)
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
Para configurar los atributos saml, asigne los campos de Microsoft Entra ID con atributos de aplicación específicos de AWS IAM Identity Center. Por lo tanto, cree una directiva de asignación de notificaciones y asígnela a la entidad de servicio.
Paso 5.1: Creación de una directiva de asignación de notificaciones
Además de las notificaciones básicas, configure las siguientes notificaciones para que Microsoft Entra ID emitan en el token SAML:
| Nombre de la notificación |
Origen |
https://aws.amazon.com/SAML/Attributes/Role |
assignedroles |
https://aws.amazon.com/SAML/Attributes/RoleSessionName |
userprincipalname |
https://aws.amazon.com/SAML/Attributes/SessionDuration |
"900" |
appRoles |
assignedroles |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier |
userprincipalname |
Nota:
Algunas claves de la directiva de asignación de notificaciones, como Versión, distinguen mayúsculas de minúsculas. El mensaje de error "La propiedad tiene un valor no válido" puede ser un problema de distinción entre mayúsculas y minúsculas.
Cree la directiva de asignación de notificaciones y registre su identificador para usarlo más adelante en este tutorial.
Solicitud
POST https://graph.microsoft.com/v1.0/policies/claimsMappingPolicies
Content-type: application/json
{
"definition": [
"{\"ClaimsMappingPolicy\":{\"Version\":1,\"IncludeBasicClaimSet\":\"true\", \"ClaimsSchema\": [{\"Source\":\"user\",\"ID\":\"assignedroles\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/Role\"}, {\"Source\":\"user\",\"ID\":\"userprincipalname\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/RoleSessionName\"}, {\"Value\":\"900\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/SessionDuration\"}, {\"Source\":\"user\",\"ID\":\"assignedroles\",\"SamlClaimType\": \"appRoles\"}, {\"Source\":\"user\",\"ID\":\"userprincipalname\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/nameidentifier\"}]}}"
],
"displayName": "AWS Claims Policy",
"isOrganizationDefault": false
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Models;
var requestBody = new ClaimsMappingPolicy
{
Definition = new List<string>
{
"{\"ClaimsMappingPolicy\":{\"Version\":1,\"IncludeBasicClaimSet\":\"true\", \"ClaimsSchema\": [{\"Source\":\"user\",\"ID\":\"assignedroles\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/Role\"}, {\"Source\":\"user\",\"ID\":\"userprincipalname\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/RoleSessionName\"}, {\"Value\":\"900\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/SessionDuration\"}, {\"Source\":\"user\",\"ID\":\"assignedroles\",\"SamlClaimType\": \"appRoles\"}, {\"Source\":\"user\",\"ID\":\"userprincipalname\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/nameidentifier\"}]}}",
},
DisplayName = "AWS Claims Policy",
IsOrganizationDefault = false,
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Policies.ClaimsMappingPolicies.PostAsync(requestBody);
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
mgc policies claims-mapping-policies create --body '{\
"definition": [\
"{\"ClaimsMappingPolicy\":{\"Version\":1,\"IncludeBasicClaimSet\":\"true\", \"ClaimsSchema\": [{\"Source\":\"user\",\"ID\":\"assignedroles\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/Role\"}, {\"Source\":\"user\",\"ID\":\"userprincipalname\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/RoleSessionName\"}, {\"Value\":\"900\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/SessionDuration\"}, {\"Source\":\"user\",\"ID\":\"assignedroles\",\"SamlClaimType\": \"appRoles\"}, {\"Source\":\"user\",\"ID\":\"userprincipalname\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/nameidentifier\"}]}}"\
],\
"displayName": "AWS Claims Policy",\
"isOrganizationDefault": false\
}\
'
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
// Code snippets are only available for the latest major version. Current major version is $v1.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-sdk-go/models"
//other-imports
)
requestBody := graphmodels.NewClaimsMappingPolicy()
definition := []string {
"{\"ClaimsMappingPolicy\":{\"Version\":1,\"IncludeBasicClaimSet\":\"true\", \"ClaimsSchema\": [{\"Source\":\"user\",\"ID\":\"assignedroles\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/Role\"}, {\"Source\":\"user\",\"ID\":\"userprincipalname\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/RoleSessionName\"}, {\"Value\":\"900\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/SessionDuration\"}, {\"Source\":\"user\",\"ID\":\"assignedroles\",\"SamlClaimType\": \"appRoles\"}, {\"Source\":\"user\",\"ID\":\"userprincipalname\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/nameidentifier\"}]}}",
}
requestBody.SetDefinition(definition)
displayName := "AWS Claims Policy"
requestBody.SetDisplayName(&displayName)
isOrganizationDefault := false
requestBody.SetIsOrganizationDefault(&isOrganizationDefault)
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
claimsMappingPolicies, err := graphClient.Policies().ClaimsMappingPolicies().Post(context.Background(), requestBody, nil)
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
ClaimsMappingPolicy claimsMappingPolicy = new ClaimsMappingPolicy();
LinkedList<String> definition = new LinkedList<String>();
definition.add("{\"ClaimsMappingPolicy\":{\"Version\":1,\"IncludeBasicClaimSet\":\"true\", \"ClaimsSchema\": [{\"Source\":\"user\",\"ID\":\"assignedroles\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/Role\"}, {\"Source\":\"user\",\"ID\":\"userprincipalname\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/RoleSessionName\"}, {\"Value\":\"900\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/SessionDuration\"}, {\"Source\":\"user\",\"ID\":\"assignedroles\",\"SamlClaimType\": \"appRoles\"}, {\"Source\":\"user\",\"ID\":\"userprincipalname\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/nameidentifier\"}]}}");
claimsMappingPolicy.setDefinition(definition);
claimsMappingPolicy.setDisplayName("AWS Claims Policy");
claimsMappingPolicy.setIsOrganizationDefault(false);
ClaimsMappingPolicy result = graphClient.policies().claimsMappingPolicies().post(claimsMappingPolicy);
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
const options = {
authProvider,
};
const client = Client.init(options);
const claimsMappingPolicy = {
definition: [
'{\"ClaimsMappingPolicy\':{\'Version\':1,\'IncludeBasicClaimSet\':\'true\", \"ClaimsSchema\': [{\'Source\':\'user\",\"ID\':\'assignedroles\",\"SamlClaimType\': \'https://aws.amazon.com/SAML/Attributes/Role\"}, {\"Source\':\'user\",\"ID\':\'userprincipalname\",\"SamlClaimType\': \'https://aws.amazon.com/SAML/Attributes/RoleSessionName\"}, {\"Value\':\'900\",\"SamlClaimType\': \'https://aws.amazon.com/SAML/Attributes/SessionDuration\"}, {\"Source\':\'user\",\"ID\':\'assignedroles\",\"SamlClaimType\': \'appRoles\"}, {\"Source\':\'user\",\"ID\':\'userprincipalname\",\"SamlClaimType\': \"https://aws.amazon.com/SAML/Attributes/nameidentifier\"}]}}"
],
displayName: 'AWS Claims Policy',
isOrganizationDefault: false
};
await client.api('/policies/claimsMappingPolicies')
.post(claimsMappingPolicy);
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\ClaimsMappingPolicy;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new ClaimsMappingPolicy();
$requestBody->setDefinition(['{\"ClaimsMappingPolicy\":{\"Version\":1,\"IncludeBasicClaimSet\":\"true\", \"ClaimsSchema\": [{\"Source\":\"user\",\"ID\":\"assignedroles\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/Role\"}, {\"Source\":\"user\",\"ID\":\"userprincipalname\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/RoleSessionName\"}, {\"Value\":\"900\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/SessionDuration\"}, {\"Source\":\"user\",\"ID\":\"assignedroles\",\"SamlClaimType\": \"appRoles\"}, {\"Source\":\"user\",\"ID\":\"userprincipalname\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/nameidentifier\"}]}}', ]);
$requestBody->setDisplayName('AWS Claims Policy');
$requestBody->setIsOrganizationDefault(false);
$result = $graphServiceClient->policies()->claimsMappingPolicies()->post($requestBody)->wait();
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
Import-Module Microsoft.Graph.Identity.SignIns
$params = @{
definition = @(
'{"ClaimsMappingPolicy":{"Version":1,"IncludeBasicClaimSet":"true", "ClaimsSchema": [{"Source":"user","ID":"assignedroles","SamlClaimType": "https://aws.amazon.com/SAML/Attributes/Role"}, {"Source":"user","ID":"userprincipalname","SamlClaimType": "https://aws.amazon.com/SAML/Attributes/RoleSessionName"}, {"Value":"900","SamlClaimType": "https://aws.amazon.com/SAML/Attributes/SessionDuration"}, {"Source":"user","ID":"assignedroles","SamlClaimType": "appRoles"}, {"Source":"user","ID":"userprincipalname","SamlClaimType": "https://aws.amazon.com/SAML/Attributes/nameidentifier"}]}}'
)
displayName = "AWS Claims Policy"
isOrganizationDefault = $false
}
New-MgPolicyClaimMappingPolicy -BodyParameter $params
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.claims_mapping_policy import ClaimsMappingPolicy
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = ClaimsMappingPolicy(
definition = [
"{\"ClaimsMappingPolicy\":{\"Version\":1,\"IncludeBasicClaimSet\":\"true\", \"ClaimsSchema\": [{\"Source\":\"user\",\"ID\":\"assignedroles\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/Role\"}, {\"Source\":\"user\",\"ID\":\"userprincipalname\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/RoleSessionName\"}, {\"Value\":\"900\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/SessionDuration\"}, {\"Source\":\"user\",\"ID\":\"assignedroles\",\"SamlClaimType\": \"appRoles\"}, {\"Source\":\"user\",\"ID\":\"userprincipalname\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/nameidentifier\"}]}}",
],
display_name = "AWS Claims Policy",
is_organization_default = False,
)
result = await graph_client.policies.claims_mapping_policies.post(request_body)
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
Respuesta
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#policies/claimsMappingPolicies/$entity",
"id": "92037c7a-a875-49a0-814e-8ec30f880e2e",
"deletedDateTime": null,
"definition": [
"{\"ClaimsMappingPolicy\":{\"Version\":1,\"IncludeBasicClaimSet\":\"true\", \"ClaimsSchema\": [{\"Source\":\"user\",\"ID\":\"assignedroles\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/Role\"}, {\"Source\":\"user\",\"ID\":\"userprincipalname\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/RoleSessionName\"}, {\"Value\":\"900\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/SessionDuration\"}, {\"Source\":\"user\",\"ID\":\"assignedroles\",\"SamlClaimType\": \"appRoles\"}, {\"Source\":\"user\",\"ID\":\"userprincipalname\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/nameidentifier\"}]}}"
],
"displayName": "AWS Claims Policy",
"isOrganizationDefault": false
}
Paso 5.2: Asignación de la directiva de asignación de notificaciones a la entidad de servicio
La solicitud devuelve un código de respuesta 204 No Content.
POST https://graph.microsoft.com/v1.0/servicePrincipals/ef04fead-8549-4e59-b5f7-d1d8c697ec64/claimsMappingPolicies/$ref
Content-type: application/json
{
"@odata.id": "https://graph.microsoft.com/v1.0/policies/claimsMappingPolicies/92037c7a-a875-49a0-814e-8ec30f880e2e"
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Models;
var requestBody = new ReferenceCreate
{
OdataId = "https://graph.microsoft.com/v1.0/policies/claimsMappingPolicies/92037c7a-a875-49a0-814e-8ec30f880e2e",
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
await graphClient.ServicePrincipals["{servicePrincipal-id}"].ClaimsMappingPolicies.Ref.PostAsync(requestBody);
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
mgc service-principals claims-mapping-policies ref post --service-principal-id {servicePrincipal-id} --body '{\
"@odata.id": "https://graph.microsoft.com/v1.0/policies/claimsMappingPolicies/92037c7a-a875-49a0-814e-8ec30f880e2e"\
}\
'
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
// Code snippets are only available for the latest major version. Current major version is $v1.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-sdk-go/models"
//other-imports
)
requestBody := graphmodels.NewReferenceCreate()
odataId := "https://graph.microsoft.com/v1.0/policies/claimsMappingPolicies/92037c7a-a875-49a0-814e-8ec30f880e2e"
requestBody.SetOdataId(&odataId)
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
graphClient.ServicePrincipals().ByServicePrincipalId("servicePrincipal-id").ClaimsMappingPolicies().Ref().Post(context.Background(), requestBody, nil)
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
com.microsoft.graph.models.ReferenceCreate referenceCreate = new com.microsoft.graph.models.ReferenceCreate();
referenceCreate.setOdataId("https://graph.microsoft.com/v1.0/policies/claimsMappingPolicies/92037c7a-a875-49a0-814e-8ec30f880e2e");
graphClient.servicePrincipals().byServicePrincipalId("{servicePrincipal-id}").claimsMappingPolicies().ref().post(referenceCreate);
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
const options = {
authProvider,
};
const client = Client.init(options);
const claimsMappingPolicy = {
'@odata.id': 'https://graph.microsoft.com/v1.0/policies/claimsMappingPolicies/92037c7a-a875-49a0-814e-8ec30f880e2e'
};
await client.api('/servicePrincipals/ef04fead-8549-4e59-b5f7-d1d8c697ec64/claimsMappingPolicies/$ref')
.post(claimsMappingPolicy);
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\ReferenceCreate;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new ReferenceCreate();
$requestBody->setOdataId('https://graph.microsoft.com/v1.0/policies/claimsMappingPolicies/92037c7a-a875-49a0-814e-8ec30f880e2e');
$graphServiceClient->servicePrincipals()->byServicePrincipalId('servicePrincipal-id')->claimsMappingPolicies()->ref()->post($requestBody)->wait();
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
Import-Module Microsoft.Graph.Applications
$params = @{
"@odata.id" = "https://graph.microsoft.com/v1.0/policies/claimsMappingPolicies/92037c7a-a875-49a0-814e-8ec30f880e2e"
}
New-MgServicePrincipalClaimMappingPolicyByRef -ServicePrincipalId $servicePrincipalId -BodyParameter $params
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.reference_create import ReferenceCreate
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = ReferenceCreate(
odata_id = "https://graph.microsoft.com/v1.0/policies/claimsMappingPolicies/92037c7a-a875-49a0-814e-8ec30f880e2e",
)
await graph_client.service_principals.by_service_principal_id('servicePrincipal-id').claims_mapping_policies.ref.post(request_body)
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
Necesita un certificado que Microsoft Entra ID pueda usar para firmar una respuesta SAML. Puede usar el punto de /addTokenSigningCertificate conexión para crear un certificado de firma de token para la entidad de servicio. Como alternativa, puede crear un certificado autofirmado y cargarlo en la entidad de servicio.
Después de agregar el certificado, la entidad de servicio contiene dos objetos en la colección keyCredentials : uno para la clave privada y otro para la clave pública; y un objeto de la colección passwordCredentials para la contraseña del certificado.
Opción 1: Crear un certificado de firma de token para la entidad de servicio
Solicitud
POST https://graph.microsoft.com/v1.0/servicePrincipals/d3616293-fff8-4415-9f01-33b05dad1b46/addTokenSigningCertificate
Content-type: application/json
{
"displayName": "CN=AWSContoso",
"endDateTime": "2027-01-22T00:00:00Z"
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.ServicePrincipals.Item.AddTokenSigningCertificate;
var requestBody = new AddTokenSigningCertificatePostRequestBody
{
DisplayName = "CN=AWSContoso",
EndDateTime = DateTimeOffset.Parse("2027-01-22T00:00:00Z"),
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.ServicePrincipals["{servicePrincipal-id}"].AddTokenSigningCertificate.PostAsync(requestBody);
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
// Code snippets are only available for the latest major version. Current major version is $v1.*
// Dependencies
import (
"context"
"time"
msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
graphserviceprincipals "github.com/microsoftgraph/msgraph-sdk-go/serviceprincipals"
//other-imports
)
requestBody := graphserviceprincipals.NewAddTokenSigningCertificatePostRequestBody()
displayName := "CN=AWSContoso"
requestBody.SetDisplayName(&displayName)
endDateTime , err := time.Parse(time.RFC3339, "2027-01-22T00:00:00Z")
requestBody.SetEndDateTime(&endDateTime)
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
addTokenSigningCertificate, err := graphClient.ServicePrincipals().ByServicePrincipalId("servicePrincipal-id").AddTokenSigningCertificate().Post(context.Background(), requestBody, nil)
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
com.microsoft.graph.serviceprincipals.item.addtokensigningcertificate.AddTokenSigningCertificatePostRequestBody addTokenSigningCertificatePostRequestBody = new com.microsoft.graph.serviceprincipals.item.addtokensigningcertificate.AddTokenSigningCertificatePostRequestBody();
addTokenSigningCertificatePostRequestBody.setDisplayName("CN=AWSContoso");
OffsetDateTime endDateTime = OffsetDateTime.parse("2027-01-22T00:00:00Z");
addTokenSigningCertificatePostRequestBody.setEndDateTime(endDateTime);
SelfSignedCertificate result = graphClient.servicePrincipals().byServicePrincipalId("{servicePrincipal-id}").addTokenSigningCertificate().post(addTokenSigningCertificatePostRequestBody);
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
const options = {
authProvider,
};
const client = Client.init(options);
const selfSignedCertificate = {
displayName: 'CN=AWSContoso',
endDateTime: '2027-01-22T00:00:00Z'
};
await client.api('/servicePrincipals/d3616293-fff8-4415-9f01-33b05dad1b46/addTokenSigningCertificate')
.post(selfSignedCertificate);
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\ServicePrincipals\Item\AddTokenSigningCertificate\AddTokenSigningCertificatePostRequestBody;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new AddTokenSigningCertificatePostRequestBody();
$requestBody->setDisplayName('CN=AWSContoso');
$requestBody->setEndDateTime(new \DateTime('2027-01-22T00:00:00Z'));
$result = $graphServiceClient->servicePrincipals()->byServicePrincipalId('servicePrincipal-id')->addTokenSigningCertificate()->post($requestBody)->wait();
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
Import-Module Microsoft.Graph.Applications
$params = @{
displayName = "CN=AWSContoso"
endDateTime = [System.DateTime]::Parse("2027-01-22T00:00:00Z")
}
Add-MgServicePrincipalTokenSigningCertificate -ServicePrincipalId $servicePrincipalId -BodyParameter $params
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.serviceprincipals.item.add_token_signing_certificate.add_token_signing_certificate_post_request_body import AddTokenSigningCertificatePostRequestBody
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = AddTokenSigningCertificatePostRequestBody(
display_name = "CN=AWSContoso",
end_date_time = "2027-01-22T00:00:00Z",
)
result = await graph_client.service_principals.by_service_principal_id('servicePrincipal-id').add_token_signing_certificate.post(request_body)
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
Respuesta
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#microsoft.graph.selfSignedCertificate",
"customKeyIdentifier": "wt3YBEyVas0CaadaZLeGLbndrD4=",
"displayName": "CN=AWSContoso",
"endDateTime": "2027-01-22T00:00:00Z",
"key": "MIICqjCCAZKgAwIBAgIIZYCy..KlDixjUT61i4tFs=",
"keyId": "04e5ac4e-31f9-41ad-83e2-6dd41e1d81f4",
"startDateTime": "2024-02-21T17:09:35.0006942Z",
"thumbprint": "C2DDD8044C956ACD0269A75A64B7862DB9DDAC3E",
"type": "AsymmetricX509Cert",
"usage": "Verify"
}
Opción 2: Crear un certificado de firma personalizado
Puede usar los siguientes scripts de PowerShell y C# para obtener un certificado autofirmado para las pruebas. Use los procedimientos recomendados de seguridad de su empresa para crear un certificado de firma para producción.
El siguiente script crea un certificado autofirmado con el nombre que se asigna fqdn cuando se le solicita, por ejemplo, CN=AWSContoso. Protege el certificado con la contraseña que proporciona pwd y exporta los certificados PFX y CER a la ubicación especificada en location.
Param(
[Parameter(Mandatory=$true)]
[string]$fqdn,
[Parameter(Mandatory=$true)]
[string]$pwd,
[Parameter(Mandatory=$true)]
[string]$location
)
if (!$PSBoundParameters.ContainsKey('location'))
{
$location = "."
}
$cert = New-SelfSignedCertificate -certstorelocation cert:\currentuser\my -DnsName $fqdn
$pwdSecure = ConvertTo-SecureString -String $pwd -Force -AsPlainText
$path = 'cert:\currentuser\my\' + $cert.Thumbprint
$cerFile = $location + "\\" + $fqdn + ".cer"
$pfxFile = $location + "\\" + $fqdn + ".pfx"
Export-PfxCertificate -cert $path -FilePath $pfxFile -Password $pwdSecure
Export-Certificate -cert $path -FilePath $cerFile
La siguiente aplicación de consola de C# se puede usar como prueba de concepto para comprender cómo se pueden obtener los valores necesarios. Este código es solo para aprendizaje y referencia y no debe usarse tal cual en producción.
using System;
using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;
using System.Text;
/* CONSOLE APP - PROOF OF CONCEPT CODE ONLY!!
* This code uses a self signed certificate and should not be used
* in production. This code is for reference and learning ONLY.
*/
namespace Self_signed_cert
{
class Program
{
static void Main(string[] args)
{
// Generate a guid to use as a password and then create the cert.
string password = Guid.NewGuid().ToString();
var selfsignedCert = buildSelfSignedServerCertificate(password);
// Print values so we can copy paste into the JSON fields.
// Print out the private key in base64 format.
Console.WriteLine("Private Key: {0}{1}", Convert.ToBase64String(selfsignedCert.Export(X509ContentType.Pfx, password)), Environment.NewLine);
// Print out the start date in ISO 8601 format.
DateTime startDate = DateTime.Parse(selfsignedCert.GetEffectiveDateString()).ToUniversalTime();
Console.WriteLine("For All startDateTime: " + startDate.ToString("o"));
// Print out the end date in ISO 8601 format.
DateTime endDate = DateTime.Parse(selfsignedCert.GetExpirationDateString()).ToUniversalTime();
Console.WriteLine("For All endDateTime: " + endDate.ToString("o"));
// Print the GUID used for keyId
string signAndPasswordGuid = Guid.NewGuid().ToString();
string verifyGuid = Guid.NewGuid().ToString();
Console.WriteLine("GUID to use for keyId for keyCredentials->Usage == Sign and passwordCredentials: " + signAndPasswordGuid);
Console.WriteLine("GUID to use for keyId for keyCredentials->Usage == Verify: " + verifyGuid);
// Print out the password.
Console.WriteLine("Password is: {0}", password);
// Print out a displayName to use as an example.
Console.WriteLine("displayName to use: CN=Example");
Console.WriteLine();
// Print out the public key.
Console.WriteLine("Public Key: {0}{1}", Convert.ToBase64String(selfsignedCert.Export(X509ContentType.Cert)), Environment.NewLine);
Console.WriteLine();
// Generate the customKeyIdentifier using hash of thumbprint.
Console.WriteLine("You can generate the customKeyIdentifier by getting the SHA256 hash of the certs thumprint.\nThe certs thumbprint is: {0}{1}", selfsignedCert.Thumbprint, Environment.NewLine);
Console.WriteLine("The hash of the thumbprint that we will use for customeKeyIdentifier is:");
string keyIdentifier = GetSha256FromThumbprint(selfsignedCert.Thumbprint);
Console.WriteLine(keyIdentifier);
}
// Generate a self-signed certificate.
private static X509Certificate2 buildSelfSignedServerCertificate(string password)
{
const string CertificateName = @"Microsoft Azure Federated SSO Certificate TEST";
DateTime certificateStartDate = DateTime.UtcNow;
DateTime certificateEndDate = certificateStartDate.AddYears(2).ToUniversalTime();
X500DistinguishedName distinguishedName = new X500DistinguishedName($"CN={CertificateName}");
using (RSA rsa = RSA.Create(2048))
{
var request = new CertificateRequest(distinguishedName, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
request.CertificateExtensions.Add(
new X509KeyUsageExtension(X509KeyUsageFlags.DataEncipherment | X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DigitalSignature, false));
var certificate = request.CreateSelfSigned(new DateTimeOffset(certificateStartDate), new DateTimeOffset(certificateEndDate));
certificate.FriendlyName = CertificateName;
return new X509Certificate2(certificate.Export(X509ContentType.Pfx, password), password, X509KeyStorageFlags.Exportable);
}
}
// Generate hash from thumbprint.
public static string GetSha256FromThumbprint(string thumbprint)
{
var message = Encoding.ASCII.GetBytes(thumbprint);
SHA256Managed hashString = new SHA256Managed();
return Convert.ToBase64String(hashString.ComputeHash(message));
}
}
}
En el paso anterior, tiene los certificados CER y PFX. Extraiga los valores de la clave privada, la contraseña, la clave pública y la huella digital del certificado para agregarlos a la entidad de servicio.
Solicitud
El siguiente script de PowerShell permite extraer la huella digital del archivo CER. Reemplace la ruta de acceso del archivo por la ubicación del certificado.
## Replace the file path with the source of your certificate
Get-PfxCertificate -Filepath "C:\Users\admin\Desktop\CN=AWSContoso.cer" | Out-File -FilePath "C:\Users\admin\Desktop\CN=AWSContoso.cer.thumbprint.txt"
Respuesta
El archivo CN=AWSContoso.cer.thumbprint.txt tiene una entrada similar a la siguiente salida.
Thumbprint Subject EnhancedKeyUsageList
---------- ------- --------------------
5214D6BA9438F984A0CC2C856CCEA6A76EDCEC3A CN=AWSContoso {Client Authentication, Server Authentication}
El siguiente script de PowerShell permite extraer la clave pública del archivo CER. Reemplace la ruta de acceso del archivo por la ubicación del certificado.
Solicitud
[convert]::ToBase64String((Get-Content C:\Users\admin\Desktop\CN=AWSContoso.cer -AsByteStream -Raw)) | Out-File -FilePath "C:\Users\admin\Desktop\CN=AWSContoso.cer.key.txt"
Respuesta
El archivo CN=AWSContoso.cer.key.txt tiene un valor codificado en base64 similar a la siguiente salida truncada.
MIIDHjCCAgagAwIBAgIQYDbahiL7NY...6qCMVJKHAQGzGwg==
Agregar la clave de firma personalizada
Agregue los detalles siguientes a keyCredentials y passwordCredentials para la entidad de servicio. Cuando los dos objetos tienen las mismas propiedades, debe asignar los mismos valores para esas propiedades.
-
CustomKeyIdentifier es el hash de huella digital del certificado.
-
StartDateTime es la fecha en que o después de crear el certificado.
-
EndDateTime puede ser un máximo de tres años a partir de startDateTime. Si no se especifica, el sistema asigna automáticamente una fecha un año después de startDateTime.
- El tipo y el uso deben ser:
-
AsymmetricX509Cert y Verify , respectivamente, en el mismo objeto.
-
X509CertAndPassword y Sign , respectivamente, en el mismo objeto.
- Asigne el nombre del firmante del certificado a la propiedad displayName .
- La clave es el valor codificado en Base64 que generó en el paso anterior.
-
KeyId es un GUID que puede definir.
La solicitud devuelve un código de respuesta 204 No Content.
PATCH https://graph.microsoft.com/v1.0/servicePrincipals/ef04fead-8549-4e59-b5f7-d1d8c697ec64
Content-type: application/json
{
"keyCredentials": [
{
"customKeyIdentifier": "5214D6BA9438F984A0CC2C856CCEA6A76EDCEC3A",
"endDateTime": "2027-01-22T00:00:00Z",
"keyId": "4c266507-3e74-4b91-aeba-18a25b450f6e",
"startDateTime": "2024-02-21T17:09:35Z",
"type": "X509CertAndPassword",
"usage": "Sign",
"key": "MIICqjCCAZKgAwIBAgIIZYCy..KlDixjUT61i4tFs=",
"displayName": "CN=AWSContoso"
},
{
"customKeyIdentifier": "5214D6BA9438F984A0CC2C856CCEA6A76EDCEC3A",
"endDateTime": "2027-01-22T00:00:00Z",
"keyId": "e35a7d11-fef0-49ad-9f3e-aacbe0a42c42",
"startDateTime": "2024-02-21T17:09:35Z",
"type": "AsymmetricX509Cert",
"usage": "Verify",
"key": "MIICqjCCAZKgAwIBAgIIZYCy..KlDixjUT61i4tFs=",
"displayName": "CN=AWSContoso"
}
],
"passwordCredentials": [
{
"customKeyIdentifier": "5214D6BA9438F984A0CC2C856CCEA6A76EDCEC3A",
"keyId": "4c266507-3e74-4b91-aeba-18a25b450f6e",
"endDateTime": "2022-01-27T19:40:33Z",
"startDateTime": "2027-01-22T00:00:00Z",
"secretText": "61891f4ee44d"
}
]
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Models;
var requestBody = new ServicePrincipal
{
KeyCredentials = new List<KeyCredential>
{
new KeyCredential
{
CustomKeyIdentifier = Convert.FromBase64String("5214D6BA9438F984A0CC2C856CCEA6A76EDCEC3A"),
EndDateTime = DateTimeOffset.Parse("2027-01-22T00:00:00Z"),
KeyId = Guid.Parse("4c266507-3e74-4b91-aeba-18a25b450f6e"),
StartDateTime = DateTimeOffset.Parse("2024-02-21T17:09:35Z"),
Type = "X509CertAndPassword",
Usage = "Sign",
Key = Convert.FromBase64String("MIICqjCCAZKgAwIBAgIIZYCy..KlDixjUT61i4tFs="),
DisplayName = "CN=AWSContoso",
},
new KeyCredential
{
CustomKeyIdentifier = Convert.FromBase64String("5214D6BA9438F984A0CC2C856CCEA6A76EDCEC3A"),
EndDateTime = DateTimeOffset.Parse("2027-01-22T00:00:00Z"),
KeyId = Guid.Parse("e35a7d11-fef0-49ad-9f3e-aacbe0a42c42"),
StartDateTime = DateTimeOffset.Parse("2024-02-21T17:09:35Z"),
Type = "AsymmetricX509Cert",
Usage = "Verify",
Key = Convert.FromBase64String("MIICqjCCAZKgAwIBAgIIZYCy..KlDixjUT61i4tFs="),
DisplayName = "CN=AWSContoso",
},
},
PasswordCredentials = new List<PasswordCredential>
{
new PasswordCredential
{
CustomKeyIdentifier = Convert.FromBase64String("5214D6BA9438F984A0CC2C856CCEA6A76EDCEC3A"),
KeyId = Guid.Parse("4c266507-3e74-4b91-aeba-18a25b450f6e"),
EndDateTime = DateTimeOffset.Parse("2022-01-27T19:40:33Z"),
StartDateTime = DateTimeOffset.Parse("2027-01-22T00:00:00Z"),
SecretText = "61891f4ee44d",
},
},
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.ServicePrincipals["{servicePrincipal-id}"].PatchAsync(requestBody);
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
mgc service-principals patch --service-principal-id {servicePrincipal-id} --body '{\
"keyCredentials": [\
{\
"customKeyIdentifier": "5214D6BA9438F984A0CC2C856CCEA6A76EDCEC3A",\
"endDateTime": "2027-01-22T00:00:00Z",\
"keyId": "4c266507-3e74-4b91-aeba-18a25b450f6e",\
"startDateTime": "2024-02-21T17:09:35Z",\
"type": "X509CertAndPassword",\
"usage": "Sign",\
"key": "MIICqjCCAZKgAwIBAgIIZYCy..KlDixjUT61i4tFs=",\
"displayName": "CN=AWSContoso"\
},\
{\
"customKeyIdentifier": "5214D6BA9438F984A0CC2C856CCEA6A76EDCEC3A",\
"endDateTime": "2027-01-22T00:00:00Z",\
"keyId": "e35a7d11-fef0-49ad-9f3e-aacbe0a42c42",\
"startDateTime": "2024-02-21T17:09:35Z",\
"type": "AsymmetricX509Cert",\
"usage": "Verify",\
"key": "MIICqjCCAZKgAwIBAgIIZYCy..KlDixjUT61i4tFs=",\
"displayName": "CN=AWSContoso"\
}\
],\
"passwordCredentials": [\
{\
"customKeyIdentifier": "5214D6BA9438F984A0CC2C856CCEA6A76EDCEC3A",\
"keyId": "4c266507-3e74-4b91-aeba-18a25b450f6e",\
"endDateTime": "2022-01-27T19:40:33Z",\
"startDateTime": "2027-01-22T00:00:00Z",\
"secretText": "61891f4ee44d"\
}\
]\
}\
'
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
// Code snippets are only available for the latest major version. Current major version is $v1.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-sdk-go/models"
//other-imports
)
requestBody := graphmodels.NewServicePrincipal()
keyCredential := graphmodels.NewKeyCredential()
customKeyIdentifier := []byte("5214D6BA9438F984A0CC2C856CCEA6A76EDCEC3A")
keyCredential.SetCustomKeyIdentifier(&customKeyIdentifier)
endDateTime , err := time.Parse(time.RFC3339, "2027-01-22T00:00:00Z")
keyCredential.SetEndDateTime(&endDateTime)
keyId := uuid.MustParse("4c266507-3e74-4b91-aeba-18a25b450f6e")
keyCredential.SetKeyId(&keyId)
startDateTime , err := time.Parse(time.RFC3339, "2024-02-21T17:09:35Z")
keyCredential.SetStartDateTime(&startDateTime)
type := "X509CertAndPassword"
keyCredential.SetType(&type)
usage := "Sign"
keyCredential.SetUsage(&usage)
key := []byte("mIICqjCCAZKgAwIBAgIIZYCy..KlDixjUT61i4tFs=")
keyCredential.SetKey(&key)
displayName := "CN=AWSContoso"
keyCredential.SetDisplayName(&displayName)
keyCredential1 := graphmodels.NewKeyCredential()
customKeyIdentifier := []byte("5214D6BA9438F984A0CC2C856CCEA6A76EDCEC3A")
keyCredential1.SetCustomKeyIdentifier(&customKeyIdentifier)
endDateTime , err := time.Parse(time.RFC3339, "2027-01-22T00:00:00Z")
keyCredential1.SetEndDateTime(&endDateTime)
keyId := uuid.MustParse("e35a7d11-fef0-49ad-9f3e-aacbe0a42c42")
keyCredential1.SetKeyId(&keyId)
startDateTime , err := time.Parse(time.RFC3339, "2024-02-21T17:09:35Z")
keyCredential1.SetStartDateTime(&startDateTime)
type := "AsymmetricX509Cert"
keyCredential1.SetType(&type)
usage := "Verify"
keyCredential1.SetUsage(&usage)
key := []byte("mIICqjCCAZKgAwIBAgIIZYCy..KlDixjUT61i4tFs=")
keyCredential1.SetKey(&key)
displayName := "CN=AWSContoso"
keyCredential1.SetDisplayName(&displayName)
keyCredentials := []graphmodels.KeyCredentialable {
keyCredential,
keyCredential1,
}
requestBody.SetKeyCredentials(keyCredentials)
passwordCredential := graphmodels.NewPasswordCredential()
customKeyIdentifier := []byte("5214D6BA9438F984A0CC2C856CCEA6A76EDCEC3A")
passwordCredential.SetCustomKeyIdentifier(&customKeyIdentifier)
keyId := uuid.MustParse("4c266507-3e74-4b91-aeba-18a25b450f6e")
passwordCredential.SetKeyId(&keyId)
endDateTime , err := time.Parse(time.RFC3339, "2022-01-27T19:40:33Z")
passwordCredential.SetEndDateTime(&endDateTime)
startDateTime , err := time.Parse(time.RFC3339, "2027-01-22T00:00:00Z")
passwordCredential.SetStartDateTime(&startDateTime)
secretText := "61891f4ee44d"
passwordCredential.SetSecretText(&secretText)
passwordCredentials := []graphmodels.PasswordCredentialable {
passwordCredential,
}
requestBody.SetPasswordCredentials(passwordCredentials)
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
servicePrincipals, err := graphClient.ServicePrincipals().ByServicePrincipalId("servicePrincipal-id").Patch(context.Background(), requestBody, nil)
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
ServicePrincipal servicePrincipal = new ServicePrincipal();
LinkedList<KeyCredential> keyCredentials = new LinkedList<KeyCredential>();
KeyCredential keyCredential = new KeyCredential();
byte[] customKeyIdentifier = Base64.getDecoder().decode("5214D6BA9438F984A0CC2C856CCEA6A76EDCEC3A");
keyCredential.setCustomKeyIdentifier(customKeyIdentifier);
OffsetDateTime endDateTime = OffsetDateTime.parse("2027-01-22T00:00:00Z");
keyCredential.setEndDateTime(endDateTime);
keyCredential.setKeyId(UUID.fromString("4c266507-3e74-4b91-aeba-18a25b450f6e"));
OffsetDateTime startDateTime = OffsetDateTime.parse("2024-02-21T17:09:35Z");
keyCredential.setStartDateTime(startDateTime);
keyCredential.setType("X509CertAndPassword");
keyCredential.setUsage("Sign");
byte[] key = Base64.getDecoder().decode("MIICqjCCAZKgAwIBAgIIZYCy..KlDixjUT61i4tFs=");
keyCredential.setKey(key);
keyCredential.setDisplayName("CN=AWSContoso");
keyCredentials.add(keyCredential);
KeyCredential keyCredential1 = new KeyCredential();
byte[] customKeyIdentifier1 = Base64.getDecoder().decode("5214D6BA9438F984A0CC2C856CCEA6A76EDCEC3A");
keyCredential1.setCustomKeyIdentifier(customKeyIdentifier1);
OffsetDateTime endDateTime1 = OffsetDateTime.parse("2027-01-22T00:00:00Z");
keyCredential1.setEndDateTime(endDateTime1);
keyCredential1.setKeyId(UUID.fromString("e35a7d11-fef0-49ad-9f3e-aacbe0a42c42"));
OffsetDateTime startDateTime1 = OffsetDateTime.parse("2024-02-21T17:09:35Z");
keyCredential1.setStartDateTime(startDateTime1);
keyCredential1.setType("AsymmetricX509Cert");
keyCredential1.setUsage("Verify");
byte[] key1 = Base64.getDecoder().decode("MIICqjCCAZKgAwIBAgIIZYCy..KlDixjUT61i4tFs=");
keyCredential1.setKey(key1);
keyCredential1.setDisplayName("CN=AWSContoso");
keyCredentials.add(keyCredential1);
servicePrincipal.setKeyCredentials(keyCredentials);
LinkedList<PasswordCredential> passwordCredentials = new LinkedList<PasswordCredential>();
PasswordCredential passwordCredential = new PasswordCredential();
byte[] customKeyIdentifier2 = Base64.getDecoder().decode("5214D6BA9438F984A0CC2C856CCEA6A76EDCEC3A");
passwordCredential.setCustomKeyIdentifier(customKeyIdentifier2);
passwordCredential.setKeyId(UUID.fromString("4c266507-3e74-4b91-aeba-18a25b450f6e"));
OffsetDateTime endDateTime2 = OffsetDateTime.parse("2022-01-27T19:40:33Z");
passwordCredential.setEndDateTime(endDateTime2);
OffsetDateTime startDateTime2 = OffsetDateTime.parse("2027-01-22T00:00:00Z");
passwordCredential.setStartDateTime(startDateTime2);
passwordCredential.setSecretText("61891f4ee44d");
passwordCredentials.add(passwordCredential);
servicePrincipal.setPasswordCredentials(passwordCredentials);
ServicePrincipal result = graphClient.servicePrincipals().byServicePrincipalId("{servicePrincipal-id}").patch(servicePrincipal);
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
const options = {
authProvider,
};
const client = Client.init(options);
const servicePrincipal = {
keyCredentials: [
{
customKeyIdentifier: '5214D6BA9438F984A0CC2C856CCEA6A76EDCEC3A',
endDateTime: '2027-01-22T00:00:00Z',
keyId: '4c266507-3e74-4b91-aeba-18a25b450f6e',
startDateTime: '2024-02-21T17:09:35Z',
type: 'X509CertAndPassword',
usage: 'Sign',
key: 'MIICqjCCAZKgAwIBAgIIZYCy..KlDixjUT61i4tFs=',
displayName: 'CN=AWSContoso'
},
{
customKeyIdentifier: '5214D6BA9438F984A0CC2C856CCEA6A76EDCEC3A',
endDateTime: '2027-01-22T00:00:00Z',
keyId: 'e35a7d11-fef0-49ad-9f3e-aacbe0a42c42',
startDateTime: '2024-02-21T17:09:35Z',
type: 'AsymmetricX509Cert',
usage: 'Verify',
key: 'MIICqjCCAZKgAwIBAgIIZYCy..KlDixjUT61i4tFs=',
displayName: 'CN=AWSContoso'
}
],
passwordCredentials: [
{
customKeyIdentifier: '5214D6BA9438F984A0CC2C856CCEA6A76EDCEC3A',
keyId: '4c266507-3e74-4b91-aeba-18a25b450f6e',
endDateTime: '2022-01-27T19:40:33Z',
startDateTime: '2027-01-22T00:00:00Z',
secretText: '61891f4ee44d'
}
]
};
await client.api('/servicePrincipals/ef04fead-8549-4e59-b5f7-d1d8c697ec64')
.update(servicePrincipal);
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\ServicePrincipal;
use Microsoft\Graph\Generated\Models\KeyCredential;
use Microsoft\Graph\Generated\Models\PasswordCredential;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new ServicePrincipal();
$keyCredentialsKeyCredential1 = new KeyCredential();
$keyCredentialsKeyCredential1->setCustomKeyIdentifier(\GuzzleHttp\Psr7\Utils::streamFor(base64_decode('5214D6BA9438F984A0CC2C856CCEA6A76EDCEC3A')));
$keyCredentialsKeyCredential1->setEndDateTime(new \DateTime('2027-01-22T00:00:00Z'));
$keyCredentialsKeyCredential1->setKeyId('4c266507-3e74-4b91-aeba-18a25b450f6e');
$keyCredentialsKeyCredential1->setStartDateTime(new \DateTime('2024-02-21T17:09:35Z'));
$keyCredentialsKeyCredential1->setType('X509CertAndPassword');
$keyCredentialsKeyCredential1->setUsage('Sign');
$keyCredentialsKeyCredential1->setKey(\GuzzleHttp\Psr7\Utils::streamFor(base64_decode('MIICqjCCAZKgAwIBAgIIZYCy..KlDixjUT61i4tFs=')));
$keyCredentialsKeyCredential1->setDisplayName('CN=AWSContoso');
$keyCredentialsArray []= $keyCredentialsKeyCredential1;
$keyCredentialsKeyCredential2 = new KeyCredential();
$keyCredentialsKeyCredential2->setCustomKeyIdentifier(\GuzzleHttp\Psr7\Utils::streamFor(base64_decode('5214D6BA9438F984A0CC2C856CCEA6A76EDCEC3A')));
$keyCredentialsKeyCredential2->setEndDateTime(new \DateTime('2027-01-22T00:00:00Z'));
$keyCredentialsKeyCredential2->setKeyId('e35a7d11-fef0-49ad-9f3e-aacbe0a42c42');
$keyCredentialsKeyCredential2->setStartDateTime(new \DateTime('2024-02-21T17:09:35Z'));
$keyCredentialsKeyCredential2->setType('AsymmetricX509Cert');
$keyCredentialsKeyCredential2->setUsage('Verify');
$keyCredentialsKeyCredential2->setKey(\GuzzleHttp\Psr7\Utils::streamFor(base64_decode('MIICqjCCAZKgAwIBAgIIZYCy..KlDixjUT61i4tFs=')));
$keyCredentialsKeyCredential2->setDisplayName('CN=AWSContoso');
$keyCredentialsArray []= $keyCredentialsKeyCredential2;
$requestBody->setKeyCredentials($keyCredentialsArray);
$passwordCredentialsPasswordCredential1 = new PasswordCredential();
$passwordCredentialsPasswordCredential1->setCustomKeyIdentifier(\GuzzleHttp\Psr7\Utils::streamFor(base64_decode('5214D6BA9438F984A0CC2C856CCEA6A76EDCEC3A')));
$passwordCredentialsPasswordCredential1->setKeyId('4c266507-3e74-4b91-aeba-18a25b450f6e');
$passwordCredentialsPasswordCredential1->setEndDateTime(new \DateTime('2022-01-27T19:40:33Z'));
$passwordCredentialsPasswordCredential1->setStartDateTime(new \DateTime('2027-01-22T00:00:00Z'));
$passwordCredentialsPasswordCredential1->setSecretText('61891f4ee44d');
$passwordCredentialsArray []= $passwordCredentialsPasswordCredential1;
$requestBody->setPasswordCredentials($passwordCredentialsArray);
$result = $graphServiceClient->servicePrincipals()->byServicePrincipalId('servicePrincipal-id')->patch($requestBody)->wait();
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
Import-Module Microsoft.Graph.Applications
$params = @{
keyCredentials = @(
@{
customKeyIdentifier = [System.Text.Encoding]::ASCII.GetBytes("5214D6BA9438F984A0CC2C856CCEA6A76EDCEC3A")
endDateTime = [System.DateTime]::Parse("2027-01-22T00:00:00Z")
keyId = "4c266507-3e74-4b91-aeba-18a25b450f6e"
startDateTime = [System.DateTime]::Parse("2024-02-21T17:09:35Z")
type = "X509CertAndPassword"
usage = "Sign"
key = [System.Text.Encoding]::ASCII.GetBytes("MIICqjCCAZKgAwIBAgIIZYCy..KlDixjUT61i4tFs=")
displayName = "CN=AWSContoso"
}
@{
customKeyIdentifier = [System.Text.Encoding]::ASCII.GetBytes("5214D6BA9438F984A0CC2C856CCEA6A76EDCEC3A")
endDateTime = [System.DateTime]::Parse("2027-01-22T00:00:00Z")
keyId = "e35a7d11-fef0-49ad-9f3e-aacbe0a42c42"
startDateTime = [System.DateTime]::Parse("2024-02-21T17:09:35Z")
type = "AsymmetricX509Cert"
usage = "Verify"
key = [System.Text.Encoding]::ASCII.GetBytes("MIICqjCCAZKgAwIBAgIIZYCy..KlDixjUT61i4tFs=")
displayName = "CN=AWSContoso"
}
)
passwordCredentials = @(
@{
customKeyIdentifier = [System.Text.Encoding]::ASCII.GetBytes("5214D6BA9438F984A0CC2C856CCEA6A76EDCEC3A")
keyId = "4c266507-3e74-4b91-aeba-18a25b450f6e"
endDateTime = [System.DateTime]::Parse("2022-01-27T19:40:33Z")
startDateTime = [System.DateTime]::Parse("2027-01-22T00:00:00Z")
secretText = "61891f4ee44d"
}
)
}
Update-MgServicePrincipal -ServicePrincipalId $servicePrincipalId -BodyParameter $params
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.service_principal import ServicePrincipal
from msgraph.generated.models.key_credential import KeyCredential
from msgraph.generated.models.password_credential import PasswordCredential
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = ServicePrincipal(
key_credentials = [
KeyCredential(
custom_key_identifier = base64.urlsafe_b64decode("5214D6BA9438F984A0CC2C856CCEA6A76EDCEC3A"),
end_date_time = "2027-01-22T00:00:00Z",
key_id = UUID("4c266507-3e74-4b91-aeba-18a25b450f6e"),
start_date_time = "2024-02-21T17:09:35Z",
type = "X509CertAndPassword",
usage = "Sign",
key = base64.urlsafe_b64decode("MIICqjCCAZKgAwIBAgIIZYCy..KlDixjUT61i4tFs="),
display_name = "CN=AWSContoso",
),
KeyCredential(
custom_key_identifier = base64.urlsafe_b64decode("5214D6BA9438F984A0CC2C856CCEA6A76EDCEC3A"),
end_date_time = "2027-01-22T00:00:00Z",
key_id = UUID("e35a7d11-fef0-49ad-9f3e-aacbe0a42c42"),
start_date_time = "2024-02-21T17:09:35Z",
type = "AsymmetricX509Cert",
usage = "Verify",
key = base64.urlsafe_b64decode("MIICqjCCAZKgAwIBAgIIZYCy..KlDixjUT61i4tFs="),
display_name = "CN=AWSContoso",
),
],
password_credentials = [
PasswordCredential(
custom_key_identifier = base64.urlsafe_b64decode("5214D6BA9438F984A0CC2C856CCEA6A76EDCEC3A"),
key_id = UUID("4c266507-3e74-4b91-aeba-18a25b450f6e"),
end_date_time = "2022-01-27T19:40:33Z",
start_date_time = "2027-01-22T00:00:00Z",
secret_text = "61891f4ee44d",
),
],
)
result = await graph_client.service_principals.by_service_principal_id('servicePrincipal-id').patch(request_body)
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
Activar la clave de firma personalizada
Debe establecer la propiedad preferredTokenSigningKeyThumbprint de la entidad de servicio en la huella digital del certificado que desea que use Microsoft Entra ID para firmar la respuesta SAML. La solicitud devuelve un código de respuesta 204 No Content.
Solicitud
PATCH https://graph.microsoft.com/v1.0/servicePrincipals/d3616293-fff8-4415-9f01-33b05dad1b46
Content-type: application/json
{
"preferredTokenSigningKeyThumbprint": "5214D6BA9438F984A0CC2C856CCEA6A76EDCEC3A"
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Models;
var requestBody = new ServicePrincipal
{
PreferredTokenSigningKeyThumbprint = "5214D6BA9438F984A0CC2C856CCEA6A76EDCEC3A",
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.ServicePrincipals["{servicePrincipal-id}"].PatchAsync(requestBody);
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
// Code snippets are only available for the latest major version. Current major version is $v1.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-sdk-go/models"
//other-imports
)
requestBody := graphmodels.NewServicePrincipal()
preferredTokenSigningKeyThumbprint := "5214D6BA9438F984A0CC2C856CCEA6A76EDCEC3A"
requestBody.SetPreferredTokenSigningKeyThumbprint(&preferredTokenSigningKeyThumbprint)
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
servicePrincipals, err := graphClient.ServicePrincipals().ByServicePrincipalId("servicePrincipal-id").Patch(context.Background(), requestBody, nil)
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
ServicePrincipal servicePrincipal = new ServicePrincipal();
servicePrincipal.setPreferredTokenSigningKeyThumbprint("5214D6BA9438F984A0CC2C856CCEA6A76EDCEC3A");
ServicePrincipal result = graphClient.servicePrincipals().byServicePrincipalId("{servicePrincipal-id}").patch(servicePrincipal);
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
const options = {
authProvider,
};
const client = Client.init(options);
const servicePrincipal = {
preferredTokenSigningKeyThumbprint: '5214D6BA9438F984A0CC2C856CCEA6A76EDCEC3A'
};
await client.api('/servicePrincipals/d3616293-fff8-4415-9f01-33b05dad1b46')
.update(servicePrincipal);
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\ServicePrincipal;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new ServicePrincipal();
$requestBody->setPreferredTokenSigningKeyThumbprint('5214D6BA9438F984A0CC2C856CCEA6A76EDCEC3A');
$result = $graphServiceClient->servicePrincipals()->byServicePrincipalId('servicePrincipal-id')->patch($requestBody)->wait();
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
Import-Module Microsoft.Graph.Applications
$params = @{
preferredTokenSigningKeyThumbprint = "5214D6BA9438F984A0CC2C856CCEA6A76EDCEC3A"
}
Update-MgServicePrincipal -ServicePrincipalId $servicePrincipalId -BodyParameter $params
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.service_principal import ServicePrincipal
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = ServicePrincipal(
preferred_token_signing_key_thumbprint = "5214D6BA9438F984A0CC2C856CCEA6A76EDCEC3A",
)
result = await graph_client.service_principals.by_service_principal_id('servicePrincipal-id').patch(request_body)
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
Paso 7: Asignación de usuarios a la aplicación
Asignar un usuario a la aplicación
Asigne el usuario de prueba que creó a la entidad de servicio y concédale el Admin,WAAD rol de aplicación. En el cuerpo de la solicitud, proporcione los siguientes valores:
-
principalId : el identificador de la cuenta de usuario que creó.
-
appRoleId : el identificador del
Admin,WAAD rol de aplicación que agregó.
-
resourceId : el identificador de la entidad de servicio.
Solicitud
POST https://graph.microsoft.com/v1.0/servicePrincipals/d3616293-fff8-4415-9f01-33b05dad1b46/appRoleAssignments
Content-type: application/json
{
"principalId": "59bb3898-0621-4414-ac61-74f9d7201355",
"principalType": "User",
"appRoleId": "3a84e31e-bffa-470f-b9e6-754a61e4dc63",
"resourceId": "d3616293-fff8-4415-9f01-33b05dad1b46"
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Models;
var requestBody = new AppRoleAssignment
{
PrincipalId = Guid.Parse("59bb3898-0621-4414-ac61-74f9d7201355"),
PrincipalType = "User",
AppRoleId = Guid.Parse("3a84e31e-bffa-470f-b9e6-754a61e4dc63"),
ResourceId = Guid.Parse("d3616293-fff8-4415-9f01-33b05dad1b46"),
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.ServicePrincipals["{servicePrincipal-id}"].AppRoleAssignments.PostAsync(requestBody);
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
mgc service-principals app-role-assignments create --service-principal-id {servicePrincipal-id} --body '{\
"principalId": "59bb3898-0621-4414-ac61-74f9d7201355",\
"principalType": "User",\
"appRoleId": "3a84e31e-bffa-470f-b9e6-754a61e4dc63",\
"resourceId": "d3616293-fff8-4415-9f01-33b05dad1b46"\
}\
'
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
// Code snippets are only available for the latest major version. Current major version is $v1.*
// Dependencies
import (
"context"
"github.com/google/uuid"
msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-sdk-go/models"
//other-imports
)
requestBody := graphmodels.NewAppRoleAssignment()
principalId := uuid.MustParse("59bb3898-0621-4414-ac61-74f9d7201355")
requestBody.SetPrincipalId(&principalId)
principalType := "User"
requestBody.SetPrincipalType(&principalType)
appRoleId := uuid.MustParse("3a84e31e-bffa-470f-b9e6-754a61e4dc63")
requestBody.SetAppRoleId(&appRoleId)
resourceId := uuid.MustParse("d3616293-fff8-4415-9f01-33b05dad1b46")
requestBody.SetResourceId(&resourceId)
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
appRoleAssignments, err := graphClient.ServicePrincipals().ByServicePrincipalId("servicePrincipal-id").AppRoleAssignments().Post(context.Background(), requestBody, nil)
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
AppRoleAssignment appRoleAssignment = new AppRoleAssignment();
appRoleAssignment.setPrincipalId(UUID.fromString("59bb3898-0621-4414-ac61-74f9d7201355"));
appRoleAssignment.setPrincipalType("User");
appRoleAssignment.setAppRoleId(UUID.fromString("3a84e31e-bffa-470f-b9e6-754a61e4dc63"));
appRoleAssignment.setResourceId(UUID.fromString("d3616293-fff8-4415-9f01-33b05dad1b46"));
AppRoleAssignment result = graphClient.servicePrincipals().byServicePrincipalId("{servicePrincipal-id}").appRoleAssignments().post(appRoleAssignment);
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
const options = {
authProvider,
};
const client = Client.init(options);
const appRoleAssignment = {
principalId: '59bb3898-0621-4414-ac61-74f9d7201355',
principalType: 'User',
appRoleId: '3a84e31e-bffa-470f-b9e6-754a61e4dc63',
resourceId: 'd3616293-fff8-4415-9f01-33b05dad1b46'
};
await client.api('/servicePrincipals/d3616293-fff8-4415-9f01-33b05dad1b46/appRoleAssignments')
.post(appRoleAssignment);
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\AppRoleAssignment;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new AppRoleAssignment();
$requestBody->setPrincipalId('59bb3898-0621-4414-ac61-74f9d7201355');
$requestBody->setPrincipalType('User');
$requestBody->setAppRoleId('3a84e31e-bffa-470f-b9e6-754a61e4dc63');
$requestBody->setResourceId('d3616293-fff8-4415-9f01-33b05dad1b46');
$result = $graphServiceClient->servicePrincipals()->byServicePrincipalId('servicePrincipal-id')->appRoleAssignments()->post($requestBody)->wait();
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
Import-Module Microsoft.Graph.Applications
$params = @{
principalId = "59bb3898-0621-4414-ac61-74f9d7201355"
principalType = "User"
appRoleId = "3a84e31e-bffa-470f-b9e6-754a61e4dc63"
resourceId = "d3616293-fff8-4415-9f01-33b05dad1b46"
}
New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $servicePrincipalId -BodyParameter $params
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.app_role_assignment import AppRoleAssignment
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = AppRoleAssignment(
principal_id = UUID("59bb3898-0621-4414-ac61-74f9d7201355"),
principal_type = "User",
app_role_id = UUID("3a84e31e-bffa-470f-b9e6-754a61e4dc63"),
resource_id = UUID("d3616293-fff8-4415-9f01-33b05dad1b46"),
)
result = await graph_client.service_principals.by_service_principal_id('servicePrincipal-id').app_role_assignments.post(request_body)
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
Respuesta
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#servicePrincipals('d3616293-fff8-4415-9f01-33b05dad1b46')/appRoleAssignments/$entity",
"id": "mDi7WSEGFESsYXT51yATVdouI-92Rw1OgPSpSxEvaLg",
"deletedDateTime": null,
"appRoleId": "3a84e31e-bffa-470f-b9e6-754a61e4dc63",
"createdDateTime": "2024-02-21T18:07:54.7959075Z",
"principalDisplayName": "Adele Vance",
"principalId": "59bb3898-0621-4414-ac61-74f9d7201355",
"principalType": "User",
"resourceDisplayName": "AWS Contoso",
"resourceId": "d3616293-fff8-4415-9f01-33b05dad1b46"
}
Use la siguiente dirección URL para obtener los metadatos Microsoft Entra ID SAML para la aplicación AWS Contoso. Reemplace por {tenant-id} el identificador de inquilino y {appId} por el appId de la aplicación de AWS Contoso. Los metadatos contienen información como el certificado de firma, Microsoft Entra entityID y Microsoft Entra SingleSignOnService, entre otros.
https://login.microsoftonline.com/{tenant-id}/federationmetadata/2007-06/federationmetadata.xml?appid={appId}
A continuación se muestra un ejemplo de lo que puede ver para la aplicación. Guarde los datos en formato XML.
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" ID="_26313693-22d4-4361-8e48-ea19bb8616e1" entityID="https://sts.windows.net/38d49456-54d4-455d-a8d6-c383c71e0a6d/">
<RoleDescriptor xmlns:fed="http://docs.oasis-open.org/wsfed/federation/200706" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="fed:SecurityTokenServiceType" protocolSupportEnumeration="http://docs.oasis-open.org/wsfed/federation/200706">
<fed:ClaimTypesOffered>
...
<IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://login.microsoftonline.com/38d49456-54d4-455d-a8d6-c383c71e0a6d/saml2"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://login.microsoftonline.com/38d49456-54d4-455d-a8d6-c383c71e0a6d/saml2"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://login.microsoftonline.com/38d49456-54d4-455d-a8d6-c383c71e0a6d/saml2"/>
</IDPSSODescriptor>
</EntityDescriptor>
Paso 9: Completar y probar la integración
Ahora que ha configurado la aplicación Microsoft Entra y tiene los metadatos de SAML, inicie sesión en el sitio de la empresa de AWS IAM Identity Center como administrador y:
-
Configuración del inicio de sesión único de AWS IAM Identity Center.
-
Cree un usuario de prueba de AWS IAM Identity Center cuyo nombre de usuario y dirección de correo electrónico coincidan con la cuenta de usuario que creó en Microsoft Entra ID.
-
Pruebe la integración del inicio de sesión único.
[Opcional] Paso 10: Limpieza de recursos
En este paso, quite los recursos que ha creado y que ya no necesitan.
Eliminar la aplicación
Al eliminar la aplicación, también se elimina la entidad de servicio del inquilino. La solicitud devuelve un código de respuesta 204 No Content.
DELETE https://graph.microsoft.com/v1.0/applications/b7308000-8bb3-467b-bfc7-8dbbfd759ad9
// Code snippets are only available for the latest version. Current version is 5.x
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
await graphClient.Applications["{application-id}"].DeleteAsync();
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
// Code snippets are only available for the latest major version. Current major version is $v1.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
//other-imports
)
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
graphClient.Applications().ByApplicationId("application-id").Delete(context.Background(), nil)
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
graphClient.applications().byApplicationId("{application-id}").delete();
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
await graph_client.applications.by_application_id('application-id').delete()
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
Eliminación de la cuenta de usuario de prueba
La solicitud devuelve un código de respuesta 204 No Content.
DELETE https://graph.microsoft.com/v1.0/users/59bb3898-0621-4414-ac61-74f9d7201355
// Code snippets are only available for the latest version. Current version is 5.x
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
await graphClient.Users["{user-id}"].DeleteAsync();
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
// Code snippets are only available for the latest major version. Current major version is $v1.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
//other-imports
)
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
graphClient.Users().ByUserId("user-id").Delete(context.Background(), nil)
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
await graph_client.users.by_user_id('user-id').delete()
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
Eliminar la directiva de asignación de notificaciones
La solicitud devuelve un código de respuesta 204 No Content.
DELETE https://graph.microsoft.com/v1.0/policies/claimsMappingPolicies/a4b35718-fd5e-4ca8-8248-a3c9934b1b78
// Code snippets are only available for the latest version. Current version is 5.x
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
await graphClient.Policies.ClaimsMappingPolicies["{claimsMappingPolicy-id}"].DeleteAsync();
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
// Code snippets are only available for the latest major version. Current major version is $v1.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
//other-imports
)
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
graphClient.Policies().ClaimsMappingPolicies().ByClaimsMappingPolicyId("claimsMappingPolicy-id").Delete(context.Background(), nil)
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
graphClient.policies().claimsMappingPolicies().byClaimsMappingPolicyId("{claimsMappingPolicy-id}").delete();
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
<?php
use Microsoft\Graph\GraphServiceClient;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$graphServiceClient->policies()->claimsMappingPolicies()->byClaimsMappingPolicyId('claimsMappingPolicy-id')->delete()->wait();
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
await graph_client.policies.claims_mapping_policies.by_claims_mapping_policy_id('claimsMappingPolicy-id').delete()
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
Contenido relacionado