标识 AD FS 部署目标Identify Your AD FS Deployment Goals

正确确定 Active Directory 联合身份验证服务 ( AD FS ) 部署目标对于 AD FS 设计项目的成功至关重要。Correctly identifying your Active Directory Federation Services (AD FS) deployment goals is essential for the success of your AD FS design project. 确定部署目标的优先级,并将其组合在一起,以便可以通过使用迭代方法来设计和部署 AD FS。Prioritize and, possibly, combine your deployment goals so that you can design and deploy AD FS by using an iterative approach. 您可以利用与 AD FS 设计相关的现有、记录和预定义 AD FS 部署目标,并为您的情况开发工作解决方案。You can take advantage of existing, documented, and predefined AD FS deployment goals that are relevant to the AD FS designs and develop a working solution for your situation.

以前版本的 AD FS 最常部署为实现以下目的:Prior versions of AD FS were most commonly deployed to achieve the following:

  • -在访问 - 企业内基于声明的应用程序时,为你的员工或客户提供基于 WEB 的 SSO 体验。Providing your employees or customers with a web-based, SSO experience when accessing claims-based applications within your enterprise.

  • 为你的员工或客户提供基于 web 的 - SSO 体验,以访问任何联合伙伴组织中的资源。Providing your employees or customers with a web-based, SSO experience to access resources in any federation partner organization.

  • -当远程访问内部托管的网站或服务时,为你的员工或客户提供基于 Web 的 SSO 体验。Providing your employees or customers with a Web-based, SSO experience when remote accessing internally hosted Web sites or services.

  • -当访问云中的资源或服务时,为你的员工或客户提供基于 web 的 SSO 体验。Providing your employees or customers with a web-based, SSO experience when accessing resources or services in the cloud.

除此之外,Windows Server 2012 R2 中的 AD FS ® 增加了可帮助你实现以下目的的功能:In addition to these, AD FS in Windows Server® 2012 R2 adds functionality that can help you achieve the following:

  • SSO 设备工作区加入和无缝第二重身份验证。Device workplace join for SSO and seamless second factor authentication. 这使组织可以允许从用户的个人设备进行访问,并在提供此访问时管理风险。This enables organizations to allow access from user's personal devices and manage the risk when providing this access.

  • 使用多重 - 访问控制管理风险。Managing risk with multi-factor access control. AD FS 提供控制谁能够访问什么应用程序的丰富授权级别。AD FS provides a rich level of authorization that controls who has access to what applications. 这可以基于用户属性 ( UPN、电子邮件、安全组成员身份、身份验证强度等 ) ,以及设备属性, ( 无论设备是否已加入工作区, ) 或者请求属性 ( 网络位置、IP 地址或用户代理 ) 。This can be based on user attributes (UPN, email, security group membership, authentication strength, etc.), device attributes (whether the device is workplace joined) or request attributes (network location, IP address, or user agent).

  • 利用 - 针对敏感应用程序的附加多重身份验证管理风险。Managing risk with additional multi-factor authentication for sensitive applications. AD FS 使你可以控制策略,以 - 在全局或每个应用程序的基础上需要多重身份验证。AD FS allows you to control policies to potentially require multi-factor authentication globally or on a per application basis. 此外,AD FS 为任何多重因素供应商提供了扩展点, - 以便为最终用户提供安全且无缝的多重 - 因素体验。In addition, AD FS provides extensibility points for any multi-factor vendor to integrate deeply for a secure and seamless multi-factor experience for end users.

  • 提供身份验证和授权功能,以便从 Web 应用程序代理保护的 extranet 访问 web 资源。Providing authentication and authorization capabilities for accessing web resources from the extranet that are protected by the Web Application Proxy.

总而言之,可以部署 Windows Server 2012 R2 中的 AD FS,以在你的组织中实现以下目标:To summarize, AD FS in Windows Server 2012 R2 can be deployed to achieve the following goals in your organization:

使用户能够从任何位置访问其个人设备上的资源Enable your users to access resources on their personal devices from anywhere

  • 工作区加入使用户能够将个人设备加入企业 Active Directory,因此,他们在从这些设备访问企业资源时能够获得访问权限和无缝体验。Workplace join that enables users to join their personal devices to corporate Active Directory and as a result gain access and seamless experiences when accessing corporate resources from these devices.

  • 对 - 企业网络内由 Web 应用程序代理保护并从 internet 进行访问的资源进行预身份验证。Pre-authentication of resources inside the corporate network that are protected by the Web Application proxy and accessed from the internet.

  • 密码更改使用户能够在密码过期时从任何加入工作区的设备更改密码,以便他们能够继续访问资源。Password change to enable users to change their password from any workplace joined device when their password has expired so that they can continue to access resources.

增强访问控制风险管理工具Enhance your access control risk management tools

在每个 IT 组织中,管理风险都是管理和合规的一个重要方面。Managing risk is an important aspect of governance and compliance in every IT organization. Windows Server 2012 R2 AD FS 中有大量的访问控制风险管理增强功能 ® ,其中包括:There are numerous access control risk management enhancements in AD FS in Windows Server® 2012 R2, including the following:

  • 基于网络位置的灵活控制,可管理用户如何进行身份验证以访问 - 受 AD FS 保护的应用程序。Flexible controls based on network location to govern how a user authenticates to access an AD FS-secured application.

  • 灵活的策略,可确定用户是否需要 - 基于用户的数据、设备数据和网络位置执行多重身份验证。Flexible policy to determine if a user needs to perform multi-factor authentication based on the user's data, device data, and network location.

  • 按 - 应用程序控制,可忽略 SSO 并强制用户在每次访问敏感应用程序时提供凭据。Per-application control to ignore SSO and force the user to provide credentials every time they access a sensitive application.

  • -基于用户数据、设备数据或网络位置灵活地按应用程序访问策略。Flexible per-application access policy based on user data, device data, or network location.

  • AD FS Extranet 锁定,使管理员能够保护 Active Directory 帐户免受来自 Internet 的暴力攻击。AD FS Extranet Lockout, which enables administrators to protect Active Directory accounts from brute force attacks from the internet.

  • 访问吊销,可用于 Active Directory 中禁用或删除的任何加入工作区的设备。Access revocation for any workplace joined device that is disabled or deleted in Active Directory.

使用 AD FS 增强登录 - 体验Use AD FS to enhance the sign-in experience

下面是 Windows Server 2012 R2 中的新 AD FS 功能 ® ,它使管理员能够自定义和增强登录 - 体验:The following are new AD FS capabilities in Windows Server® 2012 R2 that enable administrator to customize and enhance the sign-in experience:

  • 统一自定义 AD FS 服务,进行一次更改后,更改随后会自动传播到给定场中的剩余 AD FS 联合服务器。Unified customization of the AD FS service, where the changes are made once and then automatically propagated to the rest of the AD FS federation servers in a given farm.

  • 已更新 - 的登录页面,它们会自动搜索到不同的外形规格。Updated sign-in pages that look modern and cater to different form factors automatically.

  • 支持自动回退到基于窗体的 - 身份验证,适用于未加入公司域但仍用于从企业网络 intranet 内部生成访问请求的设备 ( ) 。Support for automatic fallback to forms-based authentication for devices that are not joined to the corporate domain but are still used generate access requests from within the corporate network (intranet).

  • 简单控制,可自定义公司徽标、插图图像、IT 支持标准链接、主页、隐私等。Simple controls to customize the company logo, illustration image, standard links for IT support, home page, privacy, etc.

  • "登录" 页中描述消息的自定义 - 。Customization of description messages in the sign-in pages.

  • 自定义 Web 主题。Customization of web themes.

  • 主领域发现 ( HRD ) 基于用户的组织后缀,以便为公司伙伴提供增强的隐私。Home Realm Discovery (HRD) based on organizational suffix of the user for enhanced privacy of a company's partners.

  • HRD 按 - 应用程序进行筛选,以根据应用程序自动选取一个领域。HRD filtering on a per-application basis to automatically pick a realm based on the application.

  • -单击 "错误报告" 即可更轻松地进行故障排除。One-click error reporting for easier IT troubleshooting.

  • 可自定义错误消息。Customizable error messages.

  • 多个身份验证提供程序可用时,提供用户身份验证选择。User authentication choice when more than one authentication provider is available.

另请参阅See Also

Windows Server 2012 R2 中的 AD FS 设计指南AD FS Design Guide in Windows Server 2012 R2