微软推出联合身份凭证系统以增强身份验证安全性

联合身份凭证系统旨在最大限度地减少用户在通过 Microsoft Entra 使用多种服务时必须交出安全凭证信息的次数。

Microsoft has announced a new Azure feature designed to minimize security risk during authentication.

Microsoft 宣布了一项新的 Azure 功能，旨在最大限度地降低身份验证过程中的安全风险。

The Federated Identity Credentials system is intended to reduce the frequency with which users must provide their secure credential information when accessing multiple services through Microsoft Entra.

联合身份凭据系统旨在减少用户在通过 Microsoft Entra 访问多个服务时必须提供安全凭据信息的频率。

The feature enables users to log into a single service to initiate their session. Following the initial login, they can then access other services without providing their secure login credentials and certificates.

该功能使用户能够登录单个服务来启动会话。初始登录后，他们可以访问其他服务，而无需提供安全登录凭据和证书。

“This process, known as the Workload Identity Federation flow, supports tokens from GitHub, Kubernetes, and other third-party OIDC issuers,” Microsoft said.

微软表示：“这个过程被称为工作负载身份联合流程，支持来自 GitHub、Kubernetes 和其他第三方 OIDC 发行者的令牌。”

“With this new capability, apps can also accept managed identity tokens issued by Microsoft Entra.”

“借助这项新功能，应用程序还可以接受 Microsoft Entra 颁发的托管身份令牌。”

In more technical terms, upon initially logging in with a Microsoft Entra service, the user will be issued a token. This token will be valid for any service that supports the Microsoft Entra API.

用更技术性的术语来说，在首次使用 Microsoft Entra 服务登录时，用户将获得一个令牌。此令牌对于支持 Microsoft Entra API 的任何服务都有效。

Using Entra minimizes the number of times a user needs to provide their secret information, such as login credentials or secure key information, thereby reducing the risk surface by minimizing the possibility of a threat actor gaining access to the secret information.

使用 Entra 可以最大限度地减少用户需要提供其秘密信息（例如登录凭据或安全密钥信息）的次数，从而通过最大限度地减少威胁行为者访问秘密信息的可能性来减少风险面。

Such tactics are becoming increasingly popular in the identity management space. Okta recently made a unified identity management system the centerpiece of its future business plan.

这种策略在身份管理领域变得越来越流行。 Okta 最近将统一身份管理系统作为其未来业务计划的核心。

Vendors largely view identity management solutions as a key component of their information security plan because using a single token across multiple services minimizes the chances of interception and protects against data breaches by third-party vendors who would otherwise need to collect sensitive information.

供应商在很大程度上将身份管理解决方案视为其信息安全计划的关键组成部分，因为在多个服务中使用单一令牌可以最大限度地减少拦截的机会，并防止第三方供应商（否则需要收集敏感信息）的数据泄露。

In Microsoft’s case, the Entra platform encompasses not only the Azure services, but also a range of apps that utilize Kubernetes and GitHub.

就微软而言，Entra 平台不仅包含 Azure 服务，还包含一系列利用 Kubernetes 和 GitHub 的应用程序。

“Customers using Microsoft Entra ID applications to authenticate users, access resources on behalf of users, or perform cross-tenant access can improve their security by adopting managed identities as federated identity credentials,” Microsoft said.

微软表示：“使用微软 Entra ID 应用程序来验证用户身份、代表用户访问资源或执行跨租户访问的客户可以通过采用托管身份作为联合身份凭证来提高其安全性。”

“This approach is more secure and robust compared to managing secrets, rotating certificates, and handling multiple permission sets for apps and managed identities.”

“与管理机密、轮换证书以及处理应用程序和托管身份的多个权限集相比，这种方法更安全、更稳健。”