在 Windows Server 2016 AD FS 存取控制原則Access Control Policies in Windows Server 2016 AD FS

適用於:Windows Server 2016Applies To: Windows Server 2016

AD FS 中存取控制原則範本Access Control Policy Templates in AD FS

Active Directory 同盟服務現在支援使用存取控制原則範本。Active Directory Federation Services now supports the use of access control policy templates. 藉由使用存取控制原則範本,系統管理員可以交給依賴派對每秒(要求數量)的群組原則範本執行原則設定。By using access control policy templates, an administrator can enforce policy settings by assigning the policy template to a group of relying parties (RPs). 系統管理員也可以原則範本進行更新,並所做的變更會套用至信賴的派對自動如果不還有任何需要的使用者互動。Administrator can also make updates to the policy template and the changes will be applied to the relying parties automatically if there is no user interaction needed.

存取控制原則範本為何?What are Access Control Policy Templates?

AD FS 核心管線原則處理具有三個階段:發行驗證、授權及理賠要求。The AD FS core pipeline for policy processing has three phases: authentication, authorization and claim issuance. 目前,AD FS 管理員已經分開這三個階段中的每個設定原則。Currently, AD FS administrators have to configure a policy for each of these phases separately. 這也包含了解這些原則的影響,這些原則如果有間相依性。This also involves understanding the implications of these policies and if these policies have inter-dependency. 此外,系統管理員需要了解理賠要求規則語言和作者自訂規則,可讓某些的簡單日通用原則 (ex。Also, administrators have to understand the claim rule language and author custom rules to enable some simple/common policy (ex. 封鎖外部存取)。block external access).

系統管理員必須設定發行授權規則使用此舊模型範本執行哪些存取控制原則會取代宣告語言。What access control policy templates do is replace this old model where administrators have to configure Issuance Authorization Rules using claims language. 舊 PowerShell cmdlet 發行授權規則仍然適用的選項,但它互相不包括的新模型。The old PowerShell cmdlets of issuance authorization rules still apply but it is mutually exclusive of the new model. 系統管理員可以選擇要使用的新模型或舊的模型。Administrators can choose either to use the new model or the old model. 新型號讓系統管理員權限授與,包括執行多因素驗證的時機控制。The new model allows administrators to control when to grant access, including enforcing multi-factor authentication.

存取控制原則範本使用允許模型。Access control policy templates use a permit model. 預設,這表示,任何人有存取和必須明確授權的存取。This means by default, no one has access and that access must be explicitly granted. 不過,這是不只是所有或執行任何動作允許。However, this is not just an all or nothing permit. 系統管理員可以新增例外允許規則。Administrators can add exceptions to the permit rule. 例如,系統管理員的身分可能會想要權限授與根據選取此選項,然後指定 IP 位址範圍特定的網路。For example, an administrator may wish to grant access based on a specific network by selecting this option and specifying the IP address range. 但系統管理員可能會新增及例外,例如,系統管理員可能會新增例外特定網路從指定 IP 位址範圍。But the administrator may add and exception, for instance, the administrator may add an exception from a specific network and specify that IP address range.

存取控制原則

建存取控制原則範本與自訂存取控制原則範本Built-in access control policy templates vs custom access control policy templates

AD FS 提供了許多建存取控制原則。AD FS includes several built-in access control policy templates. 這些目標一些常見案例,其中有相同的一組原則需求,例如 client 存取原則的 Office 365。These target some common scenarios which have the same set of policy requirements, for example client access policy for Office 365. 這些範本便無法修改。These templates cannot be modified.

存取控制原則

為了提供來處理您的企業需要提高的彈性,系統管理員可以建立自己的存取原則範本。To provide increased flexibility to address your business needs, administrators can create their own access policy templates. 這些可以修改後建立和自訂原則範本的變更會套用到所有每秒要求數量的會受這些原則範本。These can be modified after creation and changes to custom policy template will apply to all the RPs which are controlled by those policy templates. 若要新增自訂原則範本只要按一下新增存取控制原則從中 AD FS 管理。To add a custom policy template simply click Add Access Control Policy from within AD FS management.

若要建立的原則範本,系統管理員必須先指定會權杖發行及/或委派授權要求下方的條件。To create a policy template, an administrator needs to first specify under which conditions a request will be authorized for token issuance and/or delegation. 下表中會顯示條件與控制項目選項。Condition and action options are shown in the table below. 以粗體顯示條件不同或新增值的系統管理員,可以進一步設定。Conditions in bold can be further configured by the administrator with different or new values. 如果有的話,系統管理員也可以指定例外。Admin can also specify exceptions if there is any. 當符合的條件時,例外指定的時,將不會觸發允許的動作,並要求符合例外指定的條件。When a condition is met, a permit action will not be triggered if there is an exception specified and the incoming request matches the condition specified in the exception.

讓使用者Permit Users 除了Except
特定網路From specific network 特定網路From specific network

特定群組From specific groups

裝置從特定信任層級From devices with specific trust levels

使用特定在要求中的宣告With specific claims in the request
特定群組From specific groups 特定網路From specific network

特定群組From specific groups

裝置從特定信任層級From devices with specific trust levels

使用特定在要求中的宣告With specific claims in the request
裝置從特定信任層級From devices with specific trust levels 特定網路From specific network

特定群組From specific groups

裝置從特定信任層級From devices with specific trust levels

使用特定在要求中的宣告With specific claims in the request
使用特定在要求中的宣告With specific claims in the request 特定網路From specific network

特定群組From specific groups

裝置從特定信任層級From devices with specific trust levels

使用特定在要求中的宣告With specific claims in the request
並要求多因素驗證And require multi-factor authentication 特定網路From specific network

特定群組From specific groups

裝置從特定信任層級From devices with specific trust levels

使用特定在要求中的宣告With specific claims in the request

如果系統管理員的身分選取多個條件,則的的關係。If an administrator selects multiple conditions, they are of AND relationship. 控制項是互相專屬,您僅能原則規則選擇一個動作。Actions are mutually exclusive and for one policy rule you can only choose one action. 如果系統管理員選取多個例外,則的或者的關係。If admin selects multiple exceptions, they are of an OR relationship. 有幾個原則規則範例如下所示:A couple of policy rule examples are shown below:

原則Policy 原則規則Policy rules
您必須 MFA 外部網路的存取Extranet access requires MFA

允許所有使用者All users are permitted
規則 #1Rule #1

外部網路from extranet

使用 MFAand with MFA

允許Permit

#2 規則Rule#2

內部網路from intranet

允許Permit
不允許外部存取以外非項目External access are not permitted except non-FTE

允許的項目加入的工作地點裝置上的內部網路存取權Intranet access for FTE on workplace joined device are permitted
規則 #1Rule #1

外部網路From extranet

未項目群組and from non-FTE group

允許Permit

#2 規則Rule #2

內部網路from intranet

加入的工作地點裝置and from workplace joined device

項目群組and from FTE group

允許Permit
外部網路存取需要 MFA 以外」服務系統管理員」Extranet access requires MFA except "service admin"

允許所有使用者存取All users are permitted to access
規則 #1Rule #1

外部網路from extranet

使用 MFAand with MFA

允許Permit

除了系統管理員的服務群組Except service admin group

#2 規則Rule #2

隨時always

允許Permit
從外部網路存取非工作地點結合的裝置需要 MFAnon-work place joined device accessing from extranet requires MFA

允許 AD fabric 內部和外部網路的存取權Permit AD fabric for intranet and extranet access
規則 #1Rule #1

內部網路from intranet

AD Fabric群組And from AD Fabric group

允許Permit

#2 規則Rule #2

外部網路from extranet

未地點加入裝置and from non-workplace joined device

AD Fabric群組and from AD Fabric group

使用 MFAand with MFA

允許Permit

#3 規則Rule #3

外部網路from extranet

加入的工作地點裝置and from workplace joined device

AD Fabric群組and from AD Fabric group

允許Permit

參數型的原則範本與非參數化原則範本Parameterized policy template vs non-parameterized policy template

可以存取控制原則Access control policies can be

參數型的原則範本是參數原則範本。A parameterized policy template is a policy template that has parameters. 需要輸入的參數值當此範本指派給 RPs.An 管理員無法變更參數型的原則範本之後已建立系統管理員。An Administrator needs to input the value for those parameters when assigning this template to RPs.An administrator cannot make changes to parameterized policy template after it has been created. 參數型原則的一個範例是建原則允許特定的群組。An example of a parameterized policy is the built-in policy, Permit specific group. 這項原則套用到資源點數時,只要需要此參數指定。Whenever this policy is applied to an RP, this parameter needs to be specified.

存取控制原則

非參數化原則範本是不需要參數原則範本。A non-parameterized policy template is a policy template that does not have parameters. 系統管理員可以將此範本以每秒要求數量指派不需要任何輸入,並可變更的非參數化原則範本之後已建立。An administrator can assign this template to RPs without any input needed and can make changes to a non-parameterized policy template after it has been created. 一個範例是建原則,讓每個人,需要 MFA。An example of this is the built-in policy, Permit everyone and require MFA.

存取控制原則

如何建立非參數化存取控制原則How to create a non-parameterized access control policy

若要建立的非參數化存取控制原則使用下列程序To create a non-parameterized access control policy use the following procedure

若要建立非參數化存取控制原則To create a non-parameterized access control policy

  1. 從左邊 AD FS 管理選取存取控制原則,按一下 [權限存取控制原則。From AD FS Management on the left select Access Control Policies and on the right click Add Access Control Policy.

  2. 輸入名稱與描述。Enter a name and a description. 例如:允許的已驗證的裝置的使用者。For example: Permit users with authenticated devices.

  3. 符合下列規則的任何允許存取,按一下 [新增]Under Permit access if any of the following rules are met, click Add.

  4. 允許,在將核取方塊中旁邊的特定信任層級裝置Under permit, place a check in the box next to from devices with specific trust level

  5. 在下方,選取 [底線特定At the bottom, select the underlined specific

  6. Pop 接視窗中,選取 [驗證下拉式清單中。From the window that pops-up, select authenticated from the drop-down. 按一下[確定]Click Ok.

    存取控制原則

  7. 按一下[確定]Click Ok. 按一下[確定]Click Ok.

    存取控制原則

如何建立參數的存取控制原則How to create a parameterized access control policy

若要建立參數的存取控制原則使用下列程序To create a parameterized access control policy use the following procedure

若要建立參數的存取控制原則To create a parameterized access control policy

  1. 從左邊 AD FS 管理選取存取控制原則,按一下 [權限存取控制原則。From AD FS Management on the left select Access Control Policies and on the right click Add Access Control Policy.

  2. 輸入名稱與描述。Enter a name and a description. 例如:允許的特定理賠要求的使用者。For example: Permit users with a specific claim.

  3. 符合下列規則的任何允許存取,按一下 [新增]Under Permit access if any of the following rules are met, click Add.

  4. 允許,在將核取方塊中旁邊的特定宣告在要求中Under permit, place a check in the box next to with specific claims in the request

  5. 在下方,選取 [底線特定At the bottom, select the underlined specific

  6. Pop 接視窗中,選取 [參數指定指派的存取控制原則時From the window that pops-up, select Parameter specified when the access control policy is assigned. 按一下[確定]Click Ok.

    存取控制原則

  7. 按一下[確定]Click Ok. 按一下[確定]Click Ok.

    存取控制原則

如何建立自訂存取控制原則例外How to create a custom access control policy with an exception

若要建立存取控制例外原則,請使用下列程序。To create a access control policy with an exception use the following procedure.

建立自訂存取控制原則例外To create a custom access control policy with an exception

  1. 從左邊 AD FS 管理選取存取控制原則,按一下 [權限存取控制原則。From AD FS Management on the left select Access Control Policies and on the right click Add Access Control Policy.

  2. 輸入名稱與描述。Enter a name and a description. 例如:允許使用者與驗證的裝置,但不是受管理。For example: Permit users with authenticated devices but not managed.

  3. 符合下列規則的任何允許存取,按一下 [新增]Under Permit access if any of the following rules are met, click Add.

  4. 允許,在將核取方塊中旁邊的特定信任層級裝置Under permit, place a check in the box next to from devices with specific trust level

  5. 在下方,選取 [底線特定At the bottom, select the underlined specific

  6. Pop 接視窗中,選取 [驗證下拉式清單中。From the window that pops-up, select authenticated from the drop-down. 按一下[確定]Click Ok.

  7. 在除外在發生核取方塊旁邊的特定信任層級裝置Under except, place a check in the box next to from devices with specific trust level

  8. 在底部在除外,請選取底線特定At the bottom under except, select the underlined specific

  9. Pop 接視窗中,選取 [受管理的下拉式清單中。From the window that pops-up, select managed from the drop-down. 按一下[確定]Click Ok.

  10. 按一下[確定]Click Ok. 按一下[確定]Click Ok.

    存取控制原則

如何建立自訂存取控制原則,使用多個允許條件How to create a custom access control policy with multiple permit conditions

若要建立存取控制原則,使用多個允許條件使用下列程序To create a access control policy with multiple permit conditions use the following procedure

若要建立參數的存取控制原則To create a parameterized access control policy

  1. 從左邊 AD FS 管理選取存取控制原則,按一下 [權限存取控制原則。From AD FS Management on the left select Access Control Policies and on the right click Add Access Control Policy.

  2. 輸入名稱與描述。Enter a name and a description. 例如:允許的特定理賠要求和特定群組的使用者。For example: Permit users with a specific claim and from specific group.

  3. 符合下列規則的任何允許存取,按一下 [新增]Under Permit access if any of the following rules are met, click Add.

  4. 允許,在將核取方塊中旁邊的特定群組的特定宣告在要求中Under permit, place a check in the box next to from a specific group and with specific claims in the request

  5. 在下方,選取 [底線特定群組旁的第一個條件,針對At the bottom, select the underlined specific for the first condition, next to groups

  6. Pop 接視窗中,選取 [參數指定指派原則是在From the window that pops-up, select Parameter specified when the policy is assigned. 按一下[確定]Click Ok.

  7. 在下方,選取 [底線特定旁邊宣告第二個條件,針對At the bottom, select the underlined specific for the second condition, next to claims

  8. Pop 接視窗中,選取 [參數指定指派的存取控制原則時From the window that pops-up, select Parameter specified when the access control policy is assigned. 按一下[確定]Click Ok.

  9. 按一下[確定]Click Ok. 按一下[確定]Click Ok.

存取控制原則

如何將存取控制原則指派給新的應用程式How to assign an access control policy to a new application

將存取控制原則指派給新的應用程式相當直接易懂且已經現在整合至精靈將新增資源點數。Assigning an access control policy to a new application is pretty straight forward and has now been integrated into the wizard for adding an RP. 可以廠商信任精靈中,您可以選擇您想要指派的存取控制原則。From the Relying Party Trust Wizard you can select the access control policy that you wish to assign. 建立新的依賴廠商信任時,這是需求。This is a requirement when creating a new relying party trust.

存取控制原則

如何將現有的應用程式存取控制原則How to assign an access control policy to an existing application

指派的存取控制原則只要選取現有的應用程式應用程式從可以信任派對和按右鍵編輯存取控制項原則Assigning an access control policy to a existing application simply select the application from Relying Party Trusts and on the right click Edit Access Control Policy.

存取控制原則

從您可以選取存取控制原則和套用到應用程式。From here you can select the access control policy and apply it to the application.

存取控制原則

也了See Also

AD FS 作業AD FS Operations