在 AD FS 中如何使用 URIHow URIs Are Used in AD FS

统一资源标识符 ( URI ) 是用作唯一标识符的字符串。A Uniform Resource Identifier (URI) is a string of characters that is used as a unique identifier. 在 AD FS 中,URI 用于标识合作伙伴网络地址和配置对象。In AD FS, URIs are used to identify both partner network addresses and configuration objects. 用于标识合作伙伴网络地址时,URI 始终是 URL。When used to identify partner network addresses, the URI is always a URL. 用于标识配置对象时,URI 可以是 URN,也可以是 URL。When used to identify configuration objects, the URI may be a URN or a URL. 有关 URI 的更多常规信息,请参阅 RFC 2396RFC 3986For more general information about URIs, see RFC 2396 and RFC 3986.

用作合作伙伴网络地址的 URIURIs as partner network addresses

以下是 AD FS 中的管理员最常处理的网络地址 URL。The following are the network address URLs that are most often handled by administrators in AD FS.

  • 联合身份验证服务的 Url,包括 WS - 联合身份验证、SAML、WS - 信任、联合元数据、WS - ws-metadataexchange、隐私和组织 urlThe URLs of the Federation Service, including WS-Federation, SAML, WS-Trust, Federation Metadata, WS-MetadataExchange, Privacy and Organization URLs

  • 信赖方信任的 Url,包括 WS - 联合身份验证、SAML 和联合元数据 urlThe URLs of a relying party trust, including WS-Federation, SAML, and Federation Metadata URLs

  • 声明提供方信任的 Url,包括 WS - 联合身份验证、SAML 和联合元数据 urlThe URLs of a claims provider trust, including WS-Federation, SAML, and Federation Metadata URLs

用作对象标识符的 URIURIs as object identifiers

下表介绍了 AD FS 中的管理员最常处理的标识符。The following table describes the identifiers that are most often handled by administrators in AD FS.

标识符名称Identifier name 描述Description 比较Comparisons
联合身份验证服务标识符Federation Service identifier 此标识符用于标识联合身份验证服务。This identifier is used to identify the Federation Service. 它由使用来自此联合身份验证服务的声明的信赖方以及向此联合身份验证服务发出声明的声明提供程序使用。It is used by relying parties that use claims from this Federation Service, as well as claims providers that issue claims to this Federation Service. 当用户从声明提供程序请求有关此联合身份验证服务的声明时,联合身份验证服务标识符将用于标识声明的目标。When a user requests claims from a claims provider for this Federation Service, the Federation Service identifier will be used to identify the target for the claims.

当此联合身份验证服务收到来自声明提供程序的声明时,它将通过查找其联合身份验证服务标识符进行检查,以确保声明的目标是它。When this Federation Service receives the claims from a claims provider, it will check to ensure the claims are scoped for it by looking for its Federation Service identifier.

当信赖方接收来自此联合身份验证服务的声明时,信赖方将检查声明的发出方与联合身份验证服务标识符是否匹配。When a relying party is receiving claims from this Federation Service, the relying party will check that the issuer of the claims matches the Federation Service identifier.

信赖方标识符Relying party identifier 此标识符用于标识此联合身份验证服务的信赖方。This identifier is used to identify the relying party to this Federation Service. 在向信赖方发出声明时使用。It is used when issuing claims to the relying party. 当用户从此联合身份验证服务请求有关信赖方的声明时,信赖方标识符将用于标识应作为声明目标的信赖方。When a user requests claims from this Federation Service for the relying party, the relying party identifier will be used to identify the relying party for which the claims should be targeted. 使用前缀匹配完成此比较, ( 请参阅下文 ) 。This comparison is done using prefix matching (see below).

当信赖方收到声明时,它将检查其在安全令牌中的标识符,以确保声明的目标是它。When the relying party receives the claims, it will check for its identifier in the security token to ensure the claims are targeted for it.

声明提供程序标识符Claims provider identifier 此标识符用于标识此联合身份验证服务的声明提供程序。This identifier is used to identify the claims provider to this Federation Service. 在接收来自声明提供程序的声明时使用。It is used when receiving claims from the claims provider. 当此联合身份验证服务接收来自声明提供程序的声明时,此联合身份验证服务将检查声明的发出方与声明提供程序标识符是否匹配。When this Federation Service is receiving claims from the claims provider, this Federation Service will check that the issuer of the claims matches the claims provider identifier.
声明类型Claim type 此标识符用于定义声明的类型。This identifier is used to define the type of claim. 它由此联合身份验证服务、声明提供程序和信赖方收发声明时使用。It is used by this Federation Service, claims providers, and relying parties when sending and receiving claims. 当联合身份验证服务收到来自声明提供程序的声明时,与相应声明提供程序信任关联的声明规则将允许管理员比较声明类型并处理声明。When the Federation Service receives claims from a claims provider, the claim rules associated with the corresponding claims provider trust allow the administrator to compare claim types and process claims. 与信赖方信任关联的声明规则也允许管理员比较来自声明提供程序信任规则的声明的声明类型,并决定要发出的声明。The claim rules associated with a relying party trust also allow the administrator to compare claim types from the claims coming out of the claims provider trust rules, and decide which claims to issue.

信赖方标识符的 URI 前缀匹配URI prefix matching for relying party identifiers

URI 的路径语法按层次结构组织,并由所有 " / " 字符或所有 ":" 字符分隔。The path syntax of a URI is organized hierarchically and is delimited by either all "/" characters or all ":"characters.因此,该路径可以基于分隔字符拆分为多个路径部分。  Thus the path may be split into path sections based on the delimiting character.当前缀匹配时,每个部分必须与 ( 这些规则控制匹配大小写的匹配规则完全匹配 ) 。  When prefix matching, each section must be a full match according to the matching rules (these rules govern the casing of matches). 有关匹配规则的详细信息,请参阅上文所述的 RFC。For more information about matching rules, see the RFC's mentioned above.

在向联合身份验证服务发出的请求中标识信赖方时,AD FS 将使用前缀匹配逻辑来确定 AD FS 配置数据库中是否有匹配的信赖方信任。When a relying party is identified in a request to the Federation Service, AD FS uses prefix matching logic to determine if there is a matching relying party trust in the AD FS configuration database.

例如,如果 AD FS 配置数据库 URI1 中的信赖方标识符 ( ) 是传入请求 URI2 中信赖方标识符的前缀 ( ) ,则必须满足以下条件:For example, if the relying party identifier in the AD FS configuration database (URI1) is a prefix to the relying party identifier in the incoming request (URI2), then the following must be true:

  • (必须忽略结尾分隔符斜杠和 ) 路径节或颁发机构的冒号Trailing delimiters (slashes and colons) of path sections or authorities must be ignored

  • URI1 和 URI2 的方案和授权部分必须完全匹配(不区分大小写)The scheme and authority parts of URI1 and URI2 must be a case insensitive exact match

  • URI1 的每个路径部分必须与 URI2 的 ( ) 相应路径部分所选的区分大小写完全匹配。Each path section of URI1 must be an exact match (based on the case sensitivity chosen) to the corresponding path section of URI2

  • URI2 的路径部分可以比 URI1 多,但 URI1 的路径部分不能比 URI2 多URI2 may have more path sections than URI1, but URI1 must not have more path sections than URI2

  • URI1 的路径部分不能比 URI2 多URI1 cannot have more path sections than URI2

  • 如果 URI1 具有片段,它必须与 URI2 片段完全匹配If URI1 has a fragment, it must match exactly to a URI2 fragment

备注

查询字符串参数不受支持,并且将在信赖方标识符中被忽略。Query string parameters are not supported and will be ignored in relying party identifiers.

下表提供了其他示例。The following table provides additional examples.

AD FS 配置数据库中的信赖方标识符Relying party identifier in AD FS configuration database 请求消息中的信赖方标识符Relying party identifier in request message 请求标识符与配置标识符是否匹配?Request identifier matches the configuration identifier? 原因Reason
http: / / contoso.comhttp://contoso.com http: / / contoso.comhttp://contoso.com TRUETRUE 完全匹配Exact match
http: / / contoso.com/http://contoso.com/ http: / / contoso.comhttp://contoso.com TRUETRUE 忽略尾部斜杠Trailing slashes are ignored
http: / / contoso.comhttp://contoso.com http: / / contoso.com/http://contoso.com/ TRUETRUE 忽略尾部斜杠Trailing slashes are ignored
http: / / contoso.comhttp://contoso.com http: / / contoso.com / hrhttp://contoso.com/hr TRUETRUE URI1 没有路径,且方案和授权与 URI2 匹配URI1 has no path and matches scheme and authority to URI2
http: / / contoso.com / hrhttp://contoso.com/hr http: / / contoso.com / hr / webhttp://contoso.com/hr/web TRUETRUE 第一个路径部分匹配,URI1 没有第二个路径部分First path sections match, URI1 has no second path section
http: / / contoso.com / hr/http://contoso.com/hr/ http: / / contoso.com / hrw / mainhttp://contoso.com/hrw/main FALSEFALSE URI1 路径部分 1 与 URI2 路径部分 1 不匹配URI1 path section 1 does not match URI2 path section 1
http: / / contoso.com / hrhttp://contoso.com/hr http: / / contoso.comhttp://contoso.com FALSEFALSE URI1 的路径部分比 URI2 多URI1 has more path sections than URI2
http: / / contoso.com / hrhttp://contoso.com/hr http: / / contoso.com / hrwebhttp://contoso.com/hrweb FALSEFALSE 第一个路径部分不匹配First path sections do not match
https: / / contoso.comhttps://contoso.com http: / / contoso.comhttp://contoso.com FALSEFALSE 方案部分不匹配Scheme parts do not match
http: / / sts.contoso.comhttp://sts.contoso.com http: / / contoso.comhttp://contoso.com FALSEFALSE 授权部分不匹配Authority parts do not match
http: / / contoso.comhttp://contoso.com http: / / sts.contoso.comhttp://sts.contoso.com FALSEFALSE 授权部分不匹配Authority parts do not match