在 SharePoint 2013 中規劃人員選擇的自訂宣告提供者Plan for custom claims providers for People Picker in SharePoint 2013

摘要:了解如何規劃 SharePoint Server 2013 中的人員選擇 web 控制項的自訂宣告提供者。Summary: Learn about how to plan for custom claims providers for the People Picker web control in SharePoint Server 2013.

您可以使用包含在 SharePoint Server 2013 的宣告提供者或您可以建立您自己的自訂宣告提供者連線至其他來源的宣告並提供其他宣告安全性權杖中的使用者。例如,如果您有包含 Active Directory 網域服務 (AD DS) 中的使用者存放庫中找不到的角色的客戶關係管理 (CRM) 應用程式,您可以建立連線至 CRM 資料庫並新增 CRM 的自訂宣告提供者使用者的原始安全性權杖角色資料。如需宣告提供者使用情況的詳細資訊,請參閱宣告提供者You can use the claims providers that are included with SharePoint Server 2013, or you can create your own custom claims providers to connect to additional sources of claims and provide additional claims in the security token for a user. For example, if you have a customer relationship management (CRM) application that contains roles that are not found in the user repository in Active Directory Domain Services (AD DS), you can create a custom claims provider to connect to the CRM database and add CRM role data to a user's original security token. For more information about claims provider usage scenarios, see Claims Provider.

在 SharePoint Server 2013 中的宣告提供者用於以擴大宣告並提供名稱解析。在宣告增強角色中的宣告提供者會在登入時加強與其他宣告使用者安全性權杖。如需宣告增強的詳細資訊,請參閱宣告提供者。在名稱解析角色中的宣告提供者會列出、 解析為、 搜尋,並決定"易記"的使用者、 群組及宣告人員選擇] 中的顯示。宣告挑選讓應用程式以呈現在人員選擇 」,例如 SharePoint 網站或 SharePoint 服務的安全性設定時的宣告。如需人員選擇 」 的詳細資訊,請參閱規劃 SharePoint 2013 中的人員選擇器A claims provider in SharePoint Server 2013 is used to augment claims and to provide name resolution. In the claims augmentation role, a claims provider augments a user security token with additional claims during sign-in. For more information about claims augmentation, see Claims Provider. In the name resolution role, a claims provider lists, resolves, searches, and determines the "friendly" display of users, groups, and claims in the People Picker. Claims picking enables an application to surface claims in the People Picker, for example when you configure the security of a SharePoint site or SharePoint service. For more information about People Picker, see Plan for People Picker in SharePoint 2013.

根據預設,當執行查詢時已解決在人員選擇 」 的資訊取決於宣告提供者所提供的資訊。您不能變更哪些資訊會提供與它當您使用的現成可用的宣告提供者的顯示方式。為達成此目的,您必須建立符合尋找並選取使用者、 群組及宣告使用者指派權限項目如網站、 清單或文件庫時的需求解決方案的自訂宣告提供者。By default, the information that is resolved in People Picker when a query is performed depends on the information supplied by the claims provider. You can't change what information is supplied and how it is displayed when you use an out-of-box claims provider. To do this, you must create a custom claims provider that will meet the needs of your solution for finding and selecting users, groups, and claims when a user assigns permissions to items such as a site, list, or library.

當您建立一個自訂宣告提供者時,即可控制要顯示哪些資訊,以及要從「人員選擇」控制項中傳回哪些查詢結果。根據預設,您可設定 Web 應用程式以使用宣告驗證,然後在伺服器上登錄宣告提供者。When you create a custom claims provider, you can control what information is displayed and what results are returned in response to a query from the People Picker control. By default, you configure the web application to use claims authentication, and then register the claims provider on the server.

之前先閱讀本文,您應該了解規劃 SharePoint Server 中的使用者驗證方法角色的宣告中所述的概念。如需宣告式驗證的其他資訊,請參閱Sharepoint 宣告式身分識別宣告式身分識別及存取控制指南Before reading this article, you should understand the concepts described in Plan for user authentication methods in SharePoint Server and The Role of Claims. For additional information about claims-based authentication, see SharePoint Claims-Based Identityand A Guide to Claims-based Identity and Access Control.

架構Architecture

當 web 應用程式設定為使用宣告式驗證時、 SharePoint Server 2013 會自動使用兩種預設宣告提供者:When a web application is configured to use claims-based authentication, SharePoint Server 2013 automatically uses two default claims providers:

根據選取的 web 應用程式區域的驗證方法、 SharePoint Server 2013 也會使用一或多個會列在表格 1 的預設宣告提供者。Depending on the authentication method selected for a zone of a web application, SharePoint Server 2013 also uses one or more of the default claims providers that are listed in Table 1.

表 1。驗證方法及預設宣告提供者Table 1. Authentication methods and default claims providers

驗證方法Authentication method 宣告提供者Claims provider
Windows 驗證Windows authentication
SPActiveDirectoryClaimProviderSPActiveDirectoryClaimProvider
表單型驗證Forms-based authentication
SPFormsClaimProviderSPFormsClaimProvider
安全性聲明標記語言 (SAML) 權杖型驗證Security Assertion Markup Language (SAML) token-based authentication
SPTrustedClaimProviderSPTrustedClaimProvider

您可以看到伺服器陣列的宣告提供者的清單使用Get-spclaimprovider Microsoft PowerShell cmdlet。You can see a list of claims providers for a farm by using the Get-SPClaimProvider Microsoft PowerShell cmdlet.

注意

當 web 應用程式設定為使用 SAML 權杖型驗證時,SPTrustedClaimProvider 類別不提供人員選擇 web 控制項的搜尋功能。在 「 人員選擇 」 控制項中輸入任何文字會自動顯示為已解析,不論是否有效的使用者、 群組或宣告。如果您的 SharePoint Server 2013 解決方案會使用 SAML 權杖型驗證,您應該規劃建立自訂宣告提供者實作自訂的搜尋和名稱解析。When a web application is configured to use SAML token-based authentication, the SPTrustedClaimProvider class does not provide search functionality to the People Picker web control. Any text entered in the People Picker control will automatically be displayed as if it was resolved, regardless of whether it is a valid user, group, or claim. If your SharePoint Server 2013 solution will use SAML token-based authentication, you should plan to create a custom claims provider to implement custom search and name resolution.

在伺服器陣列上登錄宣告提供者與部署至伺服器陣列的功能。他們會在伺服器陣列層級設定範圍。宣告提供者的每個物件會使用 SPClaimProviderDefinition 類別包含宣告提供者,例如顯示名稱、 描述、 組件,以及類型的相關資訊。SPClaimProviderDefinition 類別的兩個重要屬性是 IsEnabled 和 IsUsedByDefault。這些屬性決定的已登錄的宣告提供者是否已啟用為在伺服器陣列中使用與宣告提供者是否使用預設的特定區域。根據預設,當部署至伺服器陣列啟用所有的宣告提供者。如需 SPClaimProviderDefinition 類別的資訊,請參閱SPClaimProviderDefinitionClaims providers are registered on a server farm as features that are deployed to the farm. They are scoped at the farm level. Each claims provider object uses the SPClaimProviderDefinition class to include information about the claims provider, such as display name, description, assembly, and type. Two important properties of the SPClaimProviderDefinition class are IsEnabled and IsUsedByDefault. These properties determine whether a registered claims provider is enabled for use in the farm, and whether the claims provider is used by default in a particular zone. By default, all claims providers are enabled when they are deployed to a server farm. For information about the SPClaimProviderDefinition class, see SPClaimProviderDefinition .

如需有關區域及驗證的詳細資訊,請參閱<在 SharePoint Server 中規劃使用者驗證方法>。For more information about zones and authentication, see Plan for user authentication methods in SharePoint Server.

自訂宣告提供者設定範例Example custom claims provider configuration

根據預設,當您註冊自訂宣告提供者伺服器陣列上,IsEnabled 和 IsUsedByDefault 屬性會是這兩個設為 True。取決於您的 SharePoint Server 2013 解決方案,每個區域及使用者所使用的每個區域的驗證方法所需的區域數目您可能會想要限制在其自訂宣告提供者會顯示在 [人員選擇的區域。By default, when you register a custom claims provider on the farm, the IsEnabled and IsUsedByDefault properties are both set to True. Depending on the number of zones needed for your SharePoint Server 2013 solution, the authentication methods that are used by each zone, and the users for each zone, you may want to limit the zones in which your custom claims provider is displayed in People Picker.

因為宣告提供者是在伺服器陣列層級設定範圍並啟用區域層級,您必須小心規劃想要顯示的自訂宣告提供者的區域。一般而言,您應該確定 IsUsedByDefault 屬性設為 False,則設定為您要使用的自訂宣告提供者的每個區域的SPIisSettings類別。若要設定自訂宣告提供者選取的區域、 您可以建立使用ClaimsProviders()屬性,設定區域的宣告提供者的 PowerShell 指令碼或您可以建立的自訂應用程式可讓您啟用自訂宣告提供者選取的區域。Because claims providers are scoped at the farm level and enabled at the zone level, you must carefully plan the zones in which you want the custom claims provider to be displayed. In general, you should ensure that the IsUsedByDefault property is set to False, and then configure the SPIisSettings class for each zone in which you want to use the custom claims provider. To configure a custom claims provider for select zones, you can create a PowerShell script that sets the claims provider for a zone by using the ClaimsProviders() property, or you can create a custom application to allow you to enable a custom claims provider for select zones.

舉例來說,在有兩個 Web 應用程式的情況下:For example, consider a scenario in which there are two web applications:

  • 第一個的 web 應用程式、 PartnerWeb,有兩個區域 — 一部內部網路使用 Windows 宣告式驗證與一個網路使用表單型驗證 — 並可用於之間員工和合作夥伴共同作業。The first web application, PartnerWeb, has two zones — one intranet that uses Windows claims-based authentication and one extranet that uses forms-based authentication — and is used for collaboration among employees and partners.

  • 第二個 Web 應用程式 (PublishingWeb) 只有一個區域,其使用表單型驗證,並且是針對員工、企業合作夥伴與客戶合作夥伴的網際網路發佈網站。The second web application, PublishingWeb, has only one zone that uses forms-based authentication and is an Internet publishing site for employees, business partners, and customer partners.

    現在,假設在 PartnerWeb 的外部網路上,您想讓員工可以和業務合作夥伴共同作業,但不包含客戶合作夥伴,那麼,您就要撰寫自訂宣告提供者,以依據使用者身分識別來決定目前使用者是業務合作夥伴或客戶合作夥伴。在這個範例中,來自 fabrikam.com 的使用者是企業合作夥伴,而來自 contoso.com 的使用者是客戶合作夥伴。當使用者在 PartnerWeb Web 應用程式已驗證為企業合作夥伴時,名為 BusinessPartner 的角色宣告會新增至該宣告的 Token。當使用者已驗證為客戶合作夥伴時,名為 CustomerPartner 的角色宣告會新增至該宣告 Token。Now, suppose that for the extranet zone on PartnerWeb, you want employees to be able to collaborate with business partners but not customer partners. To do this, you write a custom claims provider that determines whether the current user is a business partner or customer partner, based on the user's identity. In this example, users from fabrikam.com are business partners, but users from contoso.com are customer partners. When a user who is a business partner is authenticated in the PartnerWeb web application, a claim for a role called BusinessPartner is added to the claim token. When a customer partner is authenticated, a claim for a role called CustomerPartner is added to the claim token.

為確保客戶合作夥伴會永遠不加入的外部網路共同作業網站,將 web 應用程式原則新增 PartnerWeb web 應用程式 extranet 區域的任何使用者明確拒絕存取誰具有角色宣告呼叫 CustomerPartner。自訂宣告提供者也必須實作搜尋及解決 CustomerPartner 角色宣告,讓它可以新增至 web 應用程式原則之 web 應用程式原則的類型的支援。最後,若要啟用此功能在外部網路區域,您設定要使用的自訂宣告提供者該區域的SPIisSettings類別。下圖顯示驗證方法及宣告提供者設定每個 web 應用程式和區域。To make sure that customer partners are never added to the extranet collaboration site, you add a web application policy on the PartnerWeb web application for the extranet zone that explicitly denies access to any user who has a claim for a role called CustomerPartner. The custom claims provider would also have to implement search and type-in support for the web application policy to resolve the CustomerPartner role claim so that it can be added to the web application policy. Finally, to enable this functionality on the extranet zone, you configure the SPIisSettings class for that zone to use the custom claims provider. The following diagram shows the authentication methods and claims provider settings for each web application and zone.

圖 1。Web 應用程式和區域的驗證方法及宣告提供者設定範例Figure 1. Example of the authentication methods and claims provider settings for Web applications and zones

SPIisSettings 圖

您可在您為自訂宣告提供者所建立的功能接收器中設定 IsUsedByDefault 屬性。You can set the IsUsedByDefault property by configuring it in a feature receiver that you create for your custom claims provider.

您也可以使用Set-spclaimprovider PowerShell cmdlet 來覆寫 IsEnabled 和 IsUsedByDefault 屬性的設定。You can also override the settings of the IsEnabled and IsUsedByDefault properties by using the Set-SPClaimProvider PowerShell cmdlet.

重要

如果將 IsEnabled 屬性變更為 False,則會停用伺服器陣列的宣告提供者。如果您需要針對可能因自訂宣告提供者造成的問題進行疑難排解,這就很實用。一般而言,IsEnabled 屬性應設定為 True。Changing the IsEnabled property to False will disable the claims provider for the server farm. This can be useful if you have to troubleshoot issues that might be caused by a custom claims provider. In general, the IsEnabled property should be set to True.

在一個以上的伺服器陣列中使用自訂宣告Using custom claims on more than one farm

宣告值是由宣告本身、宣告提供者名稱,及宣告提供者在伺服器上安裝之順序組合而成。因此,如果您想要跨多個伺服器陣列或環境使用宣告,您必須在您想使用宣告的每一個伺服器陣列中,用相同順序安裝宣告提供者。如果您已安裝自訂宣告提供者,且想在其他伺服器陣列上使用相同宣告,請使用下列步驟:Claim values are a combination of the claim itself, the claims provider name, and the order in which the claims provider was installed on the server. Therefore, if you want to use a claim across multiple farms or environments, you must install the claims providers in the same order on each farm in which you want to use the claim. Use the following steps when you have installed a custom claims provider on a farm and you want to use the same claim on additional farms:

  1. 以與第一個伺服器陣列相同的順序在其他伺服器陣列上登錄宣告提供者。Register the claims providers on the additional farms in the same order that they were registered on the first farm.

  2. 執行第一個伺服器陣列的備份。如需如何備份伺服器陣列資訊,請參閱備份 SharePoint Server 中的伺服器陣列Perform a backup of the first farm. For information about how to back up a farm, see Back up farms in SharePoint Server.

  3. 使用 < back up 從第一個伺服器陣列還原其他伺服器陣列。如需如何還原伺服器陣列資訊,請參閱還原 SharePoint Server 中的伺服器陣列Use the back up from the first farm to restore the other farms. For information about how to restore a farm, see Restore farms in SharePoint Server.

自訂宣告提供者的規劃考量Planning considerations for custom claims providers

若您計劃要在 SharePoint 解決方案中搭配「人員選擇」使用宣告提供者,請考慮下列問題:As you plan custom claims providers for use with People Picker in your SharePoint solution, consider the following questions:

  • 您的 Web 應用程式有哪些區域?每個區域中使用何種驗證方式?What zones does your web application have, and what authentication methods are used in each zone?

  • 是否必須將任何自訂宣告新增至使用者,以啟用更進階的使用權限或安全使用情況?Are there any custom claims that should be added to users to enable more advanced permissions or security scenarios?

  • 您是否會對信任的身分識別提供者使用 SAML 驗證?Will you be using SAML authentication with a trusted identity provider?

  • 在 [人員選擇] 查詢結果中顯示的使用者與角色值的來源為何?What will be the source of the values for the users and roles that will be displayed in People Picker query results?

SharePoint Server 2013 內容發佈小組想要感謝 Steve Peschka 對本文的貢獻。請仔細 Steve Peschka共用-n-dipity TechNet 部落格The SharePoint Server 2013 Content Publishing team wants to thank Steve Peschka for contributing to this article. Take a look at Steve Peschka's Share-n-dipity TechNet blog.

另請參閱See also

概念Concepts

人員選擇與宣告提供者概觀 (英文)People Picker and claims providers overview

在 SharePoint Server 中規劃使用者驗證方法Plan for user authentication methods in SharePoint Server