建立信任關係信賴派對Create a Relying Party Trust

適用於:Windows Server 2016、Windows Server 2012 R2Applies To: Windows Server 2016, Windows Server 2012 R2

下列文件會提供資訊上手動建立信賴廠商信任使用聯盟中繼資料。The following document provides information on creating a relying party trust manually and using federation metadata.

若要建立宣告注意 Relying 廠商信任手動To create a claims aware Relying Party Trust manually

若要使用 AD FS 管理 snap\ 中新增新的依賴廠商信任以手動方式進行設定,執行下列程序聯盟的伺服器上。To add a new relying party trust by using the AD FS Management snap-in and manually configure the settings, perform the following procedure on a federation server.

資格在系統管理員,或相當於、在本機電腦上的最低需求完成此程序。Membership in Administrators, or equivalent, on the local computer is the minimum required to complete this procedure. 檢視詳細資料使用適當的帳號,並群組成員資格,本機和網域預設群組Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups.

  1. 在伺服器管理員中,按一下工具,然後選取 [ AD FS 管理In Server Manager, click Tools, and then select AD FS Management.

  2. 動作,按一下 [新增可以方信任Under Actions, click Add Relying Party Trust.
    信賴

  3. 歡迎頁面上,選擇 [感知宣告,按一下 [ [開始]On the Welcome page, choose Claims aware and click Start.
    信賴

  4. 選取資料來源頁面上,按一下 [輸入信賴的相關資料,以手動方式,然後按一下 [下一步On the Select Data Source page, click Enter data about the relying party manually, and then click Next.
    信賴

  5. 指定顯示名稱頁面上,輸入名稱顯示名稱,在筆記輸入此信賴廠商信任、描述,然後按一下下一步On the Specify Display Name page, type a name in Display name, under Notes type a description for this relying party trust, and then click Next.
    信賴

  6. 設定憑證頁面上,如果您有選用權杖加密憑證,按一下 [瀏覽]以尋找憑證檔案時,然後按下一步On the Configure Certificate page, if you have an optional token encryption certificate, click Browse to locate a certificate file, and then click Next.
    信賴

  7. 設定的 URL頁面上,執行下列一或兩個動作,按,然後繼續執行「步驟 8:On the Configure URL page, do one or both of the following, click Next, and then go to step 8:

    • 選取 [讓支援 WS-聯盟被動式通訊協定的核取方塊。Select the Enable support for the WS-Federation Passive protocol check box. Relying 廠商 WS-聯盟被動式通訊協定 URL,輸入此信賴廠商信任的 URL,然後按Under Relying party WS-Federation Passive protocol URL, type the URL for this relying party trust, and then click Next.

    • 選取 [讓支援 SAML 2.0 WebSSO 通訊協定的核取方塊。Select the Enable support for the SAML 2.0 WebSSO protocol check box. Relying 廠商 SAML 2.0 SSO 服務 URL,輸入此信賴的派對信任,安全性判斷提示標記語言 (SAML) 服務端點 URL,然後按Under Relying party SAML 2.0 SSO service URL, type the Security Assertion Markup Language (SAML) service endpoint URL for this relying party trust, and then click Next.
      信賴

  8. 設定識別碼頁面上,指定一個或多個識別碼這個信賴的按一下 [新增來將他們新增到清單,然後按一下 [下一步On the Configure Identifiers page, specify one or more identifiers for this relying party, click Add to add them to the list, and then click Next.
    信賴

  9. 選擇存取控制原則選取原則,然後按下一步On the Choose Access Control Policy select a policy and click Next. 如需存取控制原則的詳細資訊,請查看存取控制原則 AD FS 在For more information about Access Control Policies, see Access Control Policies in AD FS. 信賴

  10. 準備好新增信任頁面上,檢視設定,然後按一下下一步以儲存您信賴信任的資訊。On the Ready to Add Trust page, review the settings, and then click Next to save your relying party trust information.
    信賴

  11. 完成頁面上,按關閉On the Finish page, click Close. 這個動作會自動顯示編輯理賠要求規則對話方塊。This action automatically displays the Edit Claim Rules dialog box.
    信賴

若要建立宣告注意 Relying 廠商信任使用聯盟中繼資料To create a claims aware Relying Party Trust using federation metadata

若要新增新信賴廠商信任,會自動從聯盟中繼資料的合作夥伴發行的區域網路或網際網路,匯入之合作夥伴組態資料使用 AD FS 管理嵌入式管理單元,執行下列程序聯盟 account 合作夥伴組織的伺服器上。To add a new relying party trust, using the AD FS Management snap-in, by automatically importing configuration data about the partner from federation metadata that the partner published to a local network or to the Internet, perform the following procedure on a federation server in the account partner organization.

注意

雖然它已長時間使用憑證的主機不完整的名稱,例如 https://myserver 常見的方式,這些憑證不有任何安全性價值,並可以讓攻擊模擬同盟服務發行聯盟中繼資料。Though it has long been common practice to use certificates with unqualified host names such as https://myserver, these certificates have no security value and can enable an attacker to impersonate a Federation Service that is publishing federation metadata. 因此,查詢時聯盟中繼資料,您應該只使用 https://myserver.contoso.com 例如的完整的網域名稱。Therefore, when querying federation metadata, you should only use a fully qualified domain name such as https://myserver.contoso.com.

資格在系統管理員,或相當於、在本機電腦上的最低需求完成此程序。Membership in Administrators, or equivalent, on the local computer is the minimum required to complete this procedure. 檢視詳細資料使用適當的帳號,並群組成員資格,本機和網域預設群組Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups.

  1. 在伺服器管理員中,按一下工具,然後選取 [ AD FS 管理In Server Manager, click Tools, and then select AD FS Management.

  2. 動作,按一下 [新增可以方信任Under Actions, click Add Relying Party Trust.
    信賴

  3. 歡迎頁面上,選擇 [感知宣告,按一下 [ [開始]On the Welcome page, choose Claims aware and click Start.
    信賴

  4. 選取資料來源頁面上,按一下 [匯入信賴有關的資料發行 online 或本機網路*。On the **Select Data Source page, click Import data about the relying party published online or on a local network*. 在聯盟中繼資料(主機名稱或位址 URL),輸入合作夥伴,聯盟中繼資料 URL 或主機名稱,然後按一下In **Federation metadata address (host name or URL), type the federation metadata URL or host name for the partner, and then click Next.
    信賴

  5. 指定顯示名稱頁面上輸入名稱顯示名稱,在筆記輸入此信賴廠商信任、描述,然後按一下On the Specify Display Name page type a name in Display name, under Notes type a description for this relying party trust, and then click Next.

  6. 在選擇發行授權規則頁面上,選取允許所有使用者存取此信賴拒絕所有使用者的存取此信賴,然後按一下 [下一步On the Choose Issuance Authorization Rules page, select either Permit all users to access this relying party or Deny all users access to this relying party, and then click Next.

  7. 在 [準備新增信任頁面上,檢視設定,然後按一下下一步以儲存您信賴信任的資訊。On the Ready to Add Trust page, review the settings, and then click Next to save your relying party trust information.

  8. 在 [設定] 頁面中,按一下關閉On the Finish page, click Close. 這個動作會自動顯示編輯理賠要求規則] 對話方塊。This action automatically displays the Edit Claim Rules dialog box. 如需有關如何繼續與新增此信賴廠商信任理賠要求規則,額外的資訊尋找參考資料。For more information about how to proceed with adding claim rules for this relying party trust, see the Additional references.

也了See Also

AD FS 作業AD FS Operations