将 AWS SSO 连接到本地 Active Directory
本地 Active Directory 中的用户对 AWS SSO 用户门户中的 AWS 账户和 云应用程序也具有 SSO 访问权限。为此,AWS Directory Service 提供了以下两种选项:
-
创建双向信任关系 – 通过 AWS Managed Microsoft AD 与本地 Active Directory 之间创建的双向信任关系,本地用户可以使用其企业凭证登录各种 AWS 服务和业务应用程序。单向信任不适用于 AWS SSO。有关设置双向信任的更多信息,请参阅AWS Directory Service Administration Guide中的何时创建信任关系。
-
创建 AD Connector – AD Connector 是一种目录网关,借助它可以将目录请求重定向到本地 Active Directory,而无需在云中缓存任何信息。有关更多信息,请参阅AWS Directory Service Administration Guide中的连接到目录。
注意:AWS SSO 不适用于基于 SAMBA4 的 Simple AD 目录。
Context-aware
In this mode, AWS SSO analyzes the sign-in context (browser, location, and devices) for each user to determine whether the user is signing in with a previously trusted context. If a user is signing in from an unknown location or is using an unknown device, SSO prompts the user to verify their second-factor of authentication. The user is prompted for a verification code in addition to their email address and password credentials.
This mode provides additional protection while making it easier for users who frequently sign in from their offices because they do not need to complete two-step verification on every sign-in. SSO prompts users with two-step verification during initial sign-ins to create a baseline for successful sign-ins. Once a stable baseline is established, AWS SSO uses the baseline to determine a “trusted” sign-in and does not challenge users for a verification code. Users are only required to provide additional verification when their sign-in context changes. Such changes include signing in from a new device, a new browser, or an unknown location.
