在另一部組織存取的使用者提供您宣告感知應用程式與服務Provide Users in Another Organization Access to Your Claims-Aware Applications and Services

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

當系統管理員身分在 Active Directory 同盟服務 (AD FS) 資源合作夥伴組織中的與您有提供其他組織中的使用者存取聯盟的部署目標 \ (account 合作夥伴 organization) claims\ 感知應用程式,或位於您在組織中的 Web\ 服務 \ (資源合作夥伴 organization):When you are an administrator in the resource partner organization in Active Directory Federation Services (AD FS) and you have a deployment goal to provide federated access for users in another organization (the account partner organization) to a claims-aware application or a Web-based service that is located in your organization (the resource partner organization):

  • 聯盟的使用者在組織中與在組織中設定聯盟人到您的組織信任 \ (account 合作夥伴 organizations) 可以存取 AD FS 受保護的應用程式或服務是由您的組織裝載。Federated users both in your organization and in organizations who have configured a federation trust to your organization (account partner organizations) can access the AD FS secured application or service that is hosted by your organization. 如需詳細資訊,請查看的聯盟網路 SSO 設計For more information, see Federated Web SSO Design.

    例如,Fabrikam 可能會想其公司網路員工有聯盟裝載中 Contoso Web 服務的存取。For example, Fabrikam may want its corporate network employees to have federated access to Web services that are hosted in Contoso.

  • 聯盟直接遵守受信任的組織使用者 \(例如個人 customers) 人員登入的屬性存放區位於周邊網路,可以存取多 AD FS\ 保護的應用程式,也會在周邊網路上裝載藉由從網際網路上的 client 電腦一次登入。Federated users who have no direct association with a trusted organization (such as individual customers), who are logged on to an attribute store that is hosted in your perimeter network, can access multiple AD FS-secured applications, which are also hosted in your perimeter network, by logging on one time from client computers that are located on the Internet. 亦即,當您裝載客戶帳號,可讓應用程式或服務周邊網路存取權,針對您的主機屬性市集中可以存取一或多個應用程式或服務的周邊網路只要一次登入。In other words, when you host customer accounts to enable access to applications or services in your perimeter network, customers that you host in an attribute store can access one or more applications or services in the perimeter network simply by logging on once. 如需詳細資訊,請查看網站 SSO 設計For more information, see Web SSO Design.

    例如,Fabrikam 可能會想上市 single\ sign\ 上 (SSO) 存取多個應用程式或其周邊網路的服務。For example, Fabrikam may want its customers to have single-sign-on (SSO) access to multiple applications or services that are hosted in its perimeter network.

下列元件所需此部署目標:The following components are required for this deployment goal:

  • Active Directory Domain Services (AD DS): Active Directory domain 必須加入資源合作夥伴聯盟伺服器。Active Directory Domain Services (AD DS): The resource partner federation server must be joined to an Active Directory domain.

  • 周邊 DNS:網域名稱系統 (DNS) 應該資料簡單主機 (A) 資源,以便資源合作夥伴聯盟伺服器與 Web 伺服器,可以找出 client 的電腦。Perimeter DNS: Domain Name System (DNS) should contain a simple host (A) resource record so that client computers can locate the resource partner federation server and the Web server. DNS 伺服器可能主機其他 DNS 記錄也所需的周邊網路。The DNS server may host other DNS records that are also required in the perimeter network. 如需詳細資訊,請查看聯盟伺服器的名稱解析需求For more information, see Name Resolution Requirements for Federation Servers.

  • 資源合作夥伴聯盟 server:資源合作夥伴聯盟伺服器驗證 account 合作夥伴傳送給 AD FS 權杖。Resource partner federation server: The resource partner federation server validates AD FS tokens that the account partners send. 透過此聯盟伺服器執行 account 合作夥伴探索。Account partner discovery is performed through this federation server. 如需詳細資訊,請查看檢視的資源合作夥伴聯盟伺服器角色For more information, see Review the Role of the Federation Server in the Resource Partner.

  • Web server:的網頁伺服器可裝載 Web 應用程式或 Web 服務。Web server: The Web server can host either a Web application or a Web service. Web 伺服器確認它收到來自聯盟使用者有效 AD FS 發行之前就可讓存取受保護的 Web 應用程式或 Web 服務。The Web server confirms that it receives valid AD FS tokens from federated users before it allows access to the protected Web application or Web service.

    使用 Windows 的身分基本知識 (WIF),您可以開發 Web 應用程式或服務,讓它接受聯盟的使用者登入要求所做的任何標準登入方式,例如使用者名稱和密碼。By using Windows Identity Foundation (WIF), you can develop your Web application or service so that it accepts federated user logon requests that are made with any standard logon method, such as user name and password.

檢視後連結主題中的資訊,就可以開始中的步驟來部署這個目標檢查清單:實作聯盟網路 SSO 設計檢查清單︰ 實作 Web SSO 設計After reviewing the information in the linked topics, you can begin deploying this goal by following the steps in Checklist: Implementing a Federated Web SSO Design and Checklist: Implementing a Web SSO Design.

下圖顯示每個此 AD FS 部署目標的必要元件。The following illustration shows each of the required components for this AD FS deployment goal.

存取您的宣告

也了See Also

Windows Server 2012 中的 AD FS 設計指南AD FS Design Guide in Windows Server 2012