C# 为特定域用户启用SSO

我正在我的应用程序中使用OpenID连接身份验证。我已在Microsoft app Registration Portal中注册了我的应用程序，并从那里收到了客户端Id和密码

private static string appId = ConfigurationManager.AppSettings["ida:AppId"];
private static string appSecret = ConfigurationManager.AppSettings["ida:AppSecret"];
private static string redirectUri = ConfigurationManager.AppSettings["ida:RedirectUri"];
private static string graphScopes = ConfigurationManager.AppSettings["ida:GraphScopes"];

public void ConfigureAuth(IAppBuilder app)
{
    app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
    app.UseCookieAuthentication(new CookieAuthenticationOptions());
    app.UseOpenIdConnectAuthentication(
        new OpenIdConnectAuthenticationOptions
        {
            ClientId = appId,
            Authority = "https://login.microsoftonline.com/common/v2.0",
            PostLogoutRedirectUri = redirectUri,
            RedirectUri = redirectUri,
            Scope = "openid email profile offline_access " + graphScopes,
            TokenValidationParameters = new TokenValidationParameters
            {
                ValidateIssuer = false,
                    // In a real application you would use IssuerValidator for additional checks, 
                    // like making sure the user's organization has signed up for your app.
                    //     IssuerValidator = (issuer, token, tvp) =>
                    //     {
                    //         if (MyCustomTenantValidation(issuer)) 
                    //             return issuer;
                    //         else
                    //             throw new SecurityTokenInvalidIssuerException("Invalid issuer");
                    //     },
            },
            Notifications = new OpenIdConnectAuthenticationNotifications
            {
                AuthorizationCodeReceived = async(context) =>
                    {
                        var code = context.Code;
                        string signedInUserID = context.AuthenticationTicket.Identity.FindFirst(ClaimTypes.NameIdentifier).Value;

                        TokenCache userTokenCache = new SessionTokenCache(signedInUserID,
                            context.OwinContext.Environment["System.Web.HttpContextBase"] as HttpContextBase).GetMsalCacheInstance();
                        ConfidentialClientApplication cca = new ConfidentialClientApplication(
                            appId,

                            redirectUri,
                            new ClientCredential(appSecret),
                            userTokenCache,
                            null);
                        string[] scopes = graphScopes.Split(new char[] { ' ' });

                        AuthenticationResult result = await cca.AcquireTokenByAuthorizationCodeAsync(code, scopes);
                    },
                    AuthenticationFailed = (context) =>
                    {
                        context.HandleResponse();
                        context.Response.Redirect("/Error?message=" + context.Exception.Message);
                        return Task.FromResult(0);
                    }
            }
        });
}

此代码启用SSO，但来自我使用的任何Microsoft帐户

common

权限。但我希望来自特定目录或域的用户登录到我的应用程序

我试过这个

Authority = "https://login.microsoftonline.com/{tenant_id}",

而不是

Authority = "https://login.microsoftonline.com/common/v2.0",

---

但它不起作用，并且Microsoft登录页不显示在浏览器中。

您已经接近，但您缺少了结尾处的

/v2.0

对于多租户应用程序（AAD和MSA帐户），您使用：

对于单租户应用程序（仅限AAD），您需要使用：

https://login.microsoftonline.com/{tenant_id}/v2.0

---

/v2.0

表示您的应用程序使用Azure AD的“v2.0应用程序模型”（也称为“v2端点”）。

我这边还有一个问题。是否可以只允许某个域中特定组的用户登录我的应用程序？如果是的话，那我怎么做呢

https://login.microsoftonline.com/{tenant_id}/v2.0