建立驗證方法理賠要求傳送給規則Create a Rule to Send an Authentication Method Claim

適用於:Windows Server 2016、Windows Server 2012 R2Applies To: Windows Server 2016, Windows Server 2012 R2

您可以使用傳送群組成員資格宣告以規則範本或轉換輸入宣告傳送驗證方法理賠要求規則範本。You can use either the Send Group Membership as Claims rule template or the Transform an Incoming Claim rule template to send an authentication method claim. 信賴可用來判斷使用者使用驗證,並取得宣告 Active Directory 同盟服務 (AD FS) 從登入機制驗證方法理賠要求。The relying party can use an authentication method claim to determine the logon mechanism that the user uses to authenticate and obtain claims from Active Directory Federation Services (AD FS). 您也可以使用 Active Directory 同盟服務 (AD FS) 驗證機制保證」的功能在 Windows Server 2012 R2 做為輸入產生驗證方法宣告供信賴要判斷智慧卡登入為基礎的存取層級。You can also use the Authentication Mechanism Assurance feature of Active Directory Federation Services (AD FS) in Windows Server 2012 R2 as input to generate authentication method claims for situations in which the relying party wants to determine the level of access that is based on smart card logons. 例如開發人員可以指定聯盟使用者信賴方應用程式的不同層級的存取。For example, a developer can assign different levels of access to federated users of the relying party application. 層級的存取權限依據是否使用者使用認證登入他們使用者名稱和密碼,而不是智慧卡。The levels of access are based on whether the users log on with their user name and password credentials, as opposed to their smart cards.

根據您的組織的需求,使用下列程序其中一項:Depending on the requirements of your organization, use one of the following procedures:

  • 此規則建立使用為宣告傳送群組成員資格規則範本 -想指定最終判斷驗證方法此範本群組取得發行時,您可以使用此規則範本。Create this rule by using the Send Group Membership as Claims rule template - You can use this rule template when you want the group that you specify in this template to ultimately determine what authentication method claim to issue.

  • 此規則建立使用轉換連入宣告規則範本 -當您想要變更新的驗證方法可以搭配無法辨識標準 AD FS 驗證方法宣告 product 現有的驗證方法,您可以使用此規則範本。Create this rule by using the Transform an Incoming Claim rule template - You can use this rule template when you want to change the existing authentication method to a new authentication method that works with a product that does not recognize standard AD FS authentication method claims.

若要使用傳送群組成員資格為宣告規則範本可以方信任 Windows Server 2016 上建立To create by using the Send Group Membership as Claims rule template on a Relying Party Trust in Windows Server 2016

  1. 在伺服器管理員中,按一下工具,然後選取 [ AD FS 管理In Server Manager, click Tools, and then select AD FS Management.

  2. 主控台中在AD FS,按一下 [做為基礎的派對信任In the console tree, under AD FS, click Relying Party Trusts. 建立規則

  3. Right\ 按一下信任選取,然後再按一下編輯宣告發行原則Right-click the selected trust, and then click Edit Claim Issuance Policy. 建立規則

  4. 編輯宣告發行原則對話方塊中,在發行轉換規則新增規則以開始規則精靈。In the Edit Claim Issuance Policy dialog box, under Issuance Transform Rules click Add Rule to start the rule wizard. 建立規則

  5. 選取 [規則範本頁面上,在理賠要求規則範本、選取為理賠要求傳送給群組成員資格從清單中,然後按一下下一步On the Select Rule Template page, under Claim rule template, select Send Group Membership as Claim from the list, and then click Next.
    建立規則

  6. 設定規則頁面上,輸入宣告規則的名稱。On the Configure Rule page, type a claim rule name.

  7. 按一下瀏覽],選取的群組成員應該收到此驗證方法宣告、,然後按一下 [ [確定]Click Browse, select the group whose members should receive this authentication method claim, and then click OK.

  8. 傳出宣告類型的驗證方法清單中。In Outgoing claim type, select Authentication method in the list.

  9. 傳出宣告值、輸入其中一個預設統一資源識別碼 (URI) 值表,根據您慣用的驗證方法、按一下 [完成,,然後按一下 [ [確定]儲存規則。In Outgoing claim value, type one of the default uniform resource identifier (URI) values in the following table, depending on your preferred authentication method, click Finish, and then click OK to save the rule.

實際的驗證方法Actual Authentication method 對應 URICorresponding URI
使用者名稱和密碼驗證User name and password authentication http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/passwordhttp://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password
Windows 驗證Windows authentication http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/windowshttp://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/windows
傳輸使用 x.509 層安全性 (TLS) 互加好友驗證Transport Layer Security (TLS) Mutual authentication that uses X.509 certificates http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/tlsclienthttp://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/tlsclient
不使用 TLS X.509\ 式驗證X.509-based authentication that does not use TLS http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/x509http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/x509

建立規則

若要建立藉由傳送群組成員資格使用在 Windows Server 2016 宣告提供者信任宣告規則範本To create by using the Send Group Membership as Claims rule template on a Claims Provider Trust in Windows Server 2016

  1. 在伺服器管理員中,按一下工具,然後選取 [ AD FS 管理In Server Manager, click Tools, and then select AD FS Management.

  2. 在主控台在AD FS,按一下 [宣告提供者信任In the console tree, under AD FS, click Claims Provider Trusts. 建立規則

  3. Right\ 按一下信任選取,然後再按一下編輯理賠要求規則Right-click the selected trust, and then click Edit Claim Rules. 建立規則

  4. 編輯理賠要求規則對話方塊中,在接受轉換規則[新增規則開始規則精靈。In the Edit Claim Rules dialog box, under Acceptance Transform Rules click Add Rule to start the rule wizard. 建立規則

  5. 選取 [規則範本頁面上,在理賠要求規則範本、選取為理賠要求傳送給群組成員資格從清單中,然後按一下下一步On the Select Rule Template page, under Claim rule template, select Send Group Membership as Claim from the list, and then click Next.
    建立規則

  6. 設定規則頁面上,輸入宣告規則的名稱。On the Configure Rule page, type a claim rule name.

  7. 按一下瀏覽],選取的群組成員應該收到此驗證方法宣告、,然後按一下 [ [確定]Click Browse, select the group whose members should receive this authentication method claim, and then click OK.

  8. 傳出宣告類型的驗證方法清單中。In Outgoing claim type, select Authentication method in the list.

  9. 傳出宣告值、輸入其中一個預設統一資源識別碼 (URI) 值表,根據您慣用的驗證方法、按一下 [完成,,然後按一下 [ [確定]儲存規則。In Outgoing claim value, type one of the default uniform resource identifier (URI) values in the following table, depending on your preferred authentication method, click Finish, and then click OK to save the rule.

實際的驗證方法Actual Authentication method 對應 URICorresponding URI
使用者名稱和密碼驗證User name and password authentication http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/passwordhttp://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password
Windows 驗證Windows authentication http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/windowshttp://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/windows
傳輸使用 x.509 層安全性 (TLS) 互加好友驗證Transport Layer Security (TLS) Mutual authentication that uses X.509 certificates http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/tlsclienthttp://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/tlsclient
不使用 TLS X.509\ 式驗證X.509-based authentication that does not use TLS http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/x509http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/x509

建立規則

若要使用轉換建立此規則傳入取得可以方信任 Windows Server 2016 上的 [規則範本To create this rule by using the transform an incoming claim rule template on a Relying Party Trust in Windows Server 2016

  1. 在伺服器管理員中,按一下工具,然後選取 [ AD FS 管理In Server Manager, click Tools, and then select AD FS Management.

  2. 主控台中在AD FS,按一下 [做為基礎的派對信任In the console tree, under AD FS, click Relying Party Trusts. 建立規則

  3. Right\ 按一下信任選取,然後再按一下編輯宣告發行原則Right-click the selected trust, and then click Edit Claim Issuance Policy. 建立規則

  4. 編輯宣告發行原則對話方塊中,在發行轉換規則新增規則以開始規則精靈。In the Edit Claim Issuance Policy dialog box, under Issuance Transform Rules click Add Rule to start the rule wizard. 建立規則

  5. 選取 [規則範本頁面上,在理賠要求規則範本,選取轉換連入宣告從清單中,然後按一下下一步On the Select Rule Template page, under Claim rule template, select Transform an Incoming Claim from the list, and then click Next.
    建立規則

  6. 設定規則頁面上,輸入宣告規則的名稱。On the Configure Rule page, type a claim rule name.

  7. 傳入宣告類型的驗證方法清單中。In Incoming claim type, select Authentication method in the list.

  8. 傳出宣告類型的驗證方法清單中。In Outgoing claim type, select Authentication method in the list.

  9. 選取 [以不同的傳出宣告值取代傳入宣告值,然後執行下列:Select Replace an incoming claim value with a different outgoing claim value, and then do the following:

    1. 傳入取得值,輸入下列其中 URI 值為基礎的實際的驗證方法原先 URI 後,按完成,,然後按一下 [ [確定]儲存規則。In Incoming claim value, type one of the following URI values that are based on the actual authentication method URI that was used originally, click Finish, and then click OK to save the rule.

    2. 傳出宣告值,其中一個預設 URI 值在下表,您全新的慣用的驗證方法選擇而定,按完成,,然後按一下 [ [確定]儲存規則。In Outgoing claim value, type one of the default URI values in the following table, which depends on your new preferred authentication method choice, click Finish, and then click OK to save the rule.

實際的驗證方法Actual authentication method 對應 URICorresponding URI
使用者名稱和密碼驗證User name and password authentication http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/passwordhttp://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password
Windows 驗證Windows authentication http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/windowshttp://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/windows
使用 x.509 TLS 互加好友驗證TLS mutual authentication that uses X.509 certificates http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/tlsclienthttp://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/tlsclient
不使用 TLS X.509\ 式驗證X.509-based authentication that does not use TLS http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/x509http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/x509

建立規則

注意

除了表中的值可以使用其他 URI 值。Other URI values can be used in addition to the values in the table. 顯示中心 URI 值一個表格反映信賴接受預設 Uri。The URI values that are shown ion the previous table reflect the URIs that the relying party accepts by default.

若要使用轉換建立此規則傳入取得在 Windows Server 2016 宣告提供者信任規則範本To create this rule by using the transform an incoming claim rule template on a Claims Provider Trust in Windows Server 2016

  1. 在伺服器管理員中,按一下工具,然後選取 [ AD FS 管理In Server Manager, click Tools, and then select AD FS Management.

  2. 在主控台在AD FS,按一下 [宣告提供者信任In the console tree, under AD FS, click Claims Provider Trusts. 建立規則

  3. Right\ 按一下信任選取,然後再按一下編輯理賠要求規則Right-click the selected trust, and then click Edit Claim Rules. 建立規則

  4. 編輯理賠要求規則對話方塊中,在接受轉換規則[新增規則開始規則精靈。In the Edit Claim Rules dialog box, under Acceptance Transform Rules click Add Rule to start the rule wizard. 建立規則

  5. 選取 [規則範本頁面上,在理賠要求規則範本,選取轉換連入宣告從清單中,然後按一下下一步On the Select Rule Template page, under Claim rule template, select Transform an Incoming Claim from the list, and then click Next.
    建立規則

  6. 設定規則頁面上,輸入宣告規則的名稱。On the Configure Rule page, type a claim rule name.

  7. 傳入宣告類型的驗證方法清單中。In Incoming claim type, select Authentication method in the list.

  8. 傳出宣告類型的驗證方法清單中。In Outgoing claim type, select Authentication method in the list.

  9. 選取 [以不同的傳出宣告值取代傳入宣告值,然後執行下列:Select Replace an incoming claim value with a different outgoing claim value, and then do the following:

    1. 傳入取得值,輸入下列其中 URI 值為基礎的實際的驗證方法原先 URI 後,按完成,,然後按一下 [ [確定]儲存規則。In Incoming claim value, type one of the following URI values that are based on the actual authentication method URI that was used originally, click Finish, and then click OK to save the rule.

    2. 傳出宣告值,其中一個預設 URI 值在下表,您全新的慣用的驗證方法選擇而定,按完成,,然後按一下 [ [確定]儲存規則。In Outgoing claim value, type one of the default URI values in the following table, which depends on your new preferred authentication method choice, click Finish, and then click OK to save the rule.

實際的驗證方法Actual authentication method 對應 URICorresponding URI
使用者名稱和密碼驗證User name and password authentication http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/passwordhttp://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password
Windows 驗證Windows authentication http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/windowshttp://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/windows
使用 x.509 TLS 互加好友驗證TLS mutual authentication that uses X.509 certificates http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/tlsclienthttp://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/tlsclient
不使用 TLS X.509\ 式驗證X.509-based authentication that does not use TLS http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/x509http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/x509

建立規則

此規則建立藉由傳送群組成員資格使用在 Windows Server 2012 R2 宣告規則範本To create this rule by using the Send Group Membership as Claims rule template in Windows Server 2012 R2

  1. 在伺服器管理員中,按一下工具,然後選取 [ AD FS 管理In Server Manager, click Tools, and then select AD FS Management.

  2. 主控台中在AD FS\Trust 關係,按一下宣告提供者信任可以廠商信任,,然後按一下 [特定信任在清單中您想要用來建立本規則。In the console tree, under AD FS\Trust Relationships, click either Claims Provider Trusts or Relying Party Trusts, and then click a specific trust in the list where you want to create this rule.

  3. Right\ 按一下信任選取,然後再按一下編輯理賠要求規則Right-click the selected trust, and then click Edit Claim Rules. 建立規則

  4. 編輯理賠要求規則對話方塊中,選取其中一個下列索引標籤,根據您正在編輯,並設定您的規則信任想要建立單元,此規則,然後按一下新增規則以開始規則該組相關聯的規則精靈:In the Edit Claim Rules dialog box, select one the following tabs, depending on the trust that you are editing and which rule set you want to create this rule in, and then click Add Rule to start the rule wizard that is associated with that rule set:

    • 接受轉換規則Acceptance Transform Rules

    • 發行轉換規則Issuance Transform Rules

    • 發行授權規則Issuance Authorization Rules

    • 委派授權規則Delegation Authorization Rules
      建立規則

  5. 選取 [規則範本頁面上,在理賠要求規則範本、選取為理賠要求傳送給群組成員資格從清單中,然後按一下下一步On the Select Rule Template page, under Claim rule template, select Send Group Membership as a Claim from the list, and then click Next.
    建立規則

  6. 設定規則頁面上,輸入宣告規則的名稱。On the Configure Rule page, type a claim rule name.

  7. 按一下瀏覽],選取的群組成員應該收到此驗證方法宣告、,然後按一下 [ [確定]Click Browse, select the group whose members should receive this authentication method claim, and then click OK.

  8. 傳出宣告類型的驗證方法清單中。In Outgoing claim type, select Authentication method in the list.

  9. 傳出宣告值、輸入其中一個預設統一資源識別碼 (URI) 值表,根據您慣用的驗證方法、按一下 [完成,,然後按一下 [ [確定]儲存規則。In Outgoing claim value, type one of the default uniform resource identifier (URI) values in the following table, depending on your preferred authentication method, click Finish, and then click OK to save the rule.

實際的驗證方法Actual Authentication method 對應 URICorresponding URI
使用者名稱和密碼驗證User name and password authentication http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/passwordhttp://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password
Windows 驗證Windows authentication http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/windowshttp://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/windows
傳輸使用 x.509 層安全性 (TLS) 互加好友驗證Transport Layer Security (TLS) Mutual authentication that uses X.509 certificates http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/tlsclienthttp://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/tlsclient
不使用 TLS X.509\ 式驗證X.509-based authentication that does not use TLS http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/x509http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/x509

建立規則

注意

除了表中的值可以使用其他 URI 值。Other URI values can be used in addition to the values in the table. 先前表所示 URI 值反映信賴接受預設 Uri。The URI values that are shown in the previous table reflect the URIs that the relying party accepts by default.

此規則使用建立轉換連入宣告規則範本在 Windows Server 2012 R2To create this rule by using the Transform an Incoming Claim rule template in Windows Server 2012 R2

  1. 在伺服器管理員中,按一下工具,然後按AD FS 管理In Server Manager, click Tools, and then click AD FS Management.

  2. 主控台中在AD FS\Trust 關係,按一下宣告提供者信任可以廠商信任,,然後按一下 [特定信任在清單中您想要用來建立本規則。In the console tree, under AD FS\Trust Relationships, click either Claims Provider Trusts or Relying Party Trusts, and then click a specific trust in the list where you want to create this rule.

  3. Right\ 按一下信任選取,然後再按一下編輯理賠要求規則Right-click the selected trust, and then click Edit Claim Rules.
    建立規則

  4. 編輯理賠要求規則對話方塊中,選取其中一種下列索引標籤,而定信任您正在編輯,並在哪一個規則設定您想要建立本規則,然後按一下 [ [新增規則以開始規則該組相關聯的規則精靈:In the Edit Claim Rules dialog box, select one the following tabs, which depends on the trust that you are editing and in which rule set you want to create this rule, and then click Add Rule to start the rule wizard that is associated with that rule set:

    • 接受轉換規則Acceptance Transform Rules

    • 發行轉換規則Issuance Transform Rules

    • 發行授權規則Issuance Authorization Rules

    • 委派授權規則Delegation Authorization Rules
      建立規則

  5. 選取 [規則範本頁面上,在理賠要求規則範本,選取轉換連入宣告從清單中,然後按一下下一步On the Select Rule Template page, under Claim rule template, select Transform an Incoming Claim from the list, and then click Next.
    建立規則

  6. 設定規則頁面上,輸入宣告規則的名稱。On the Configure Rule page, type a claim rule name.

  7. 傳入宣告類型的驗證方法清單中。In Incoming claim type, select Authentication method in the list.

  8. 傳出宣告類型的驗證方法清單中。In Outgoing claim type, select Authentication method in the list.

  9. 選取 [以不同的傳出宣告值取代傳入宣告值,然後執行下列:Select Replace an incoming claim value with a different outgoing claim value, and then do the following:

    1. 傳入取得值,輸入下列其中 URI 值為基礎的實際的驗證方法原先 URI 後,按完成,,然後按一下 [ [確定]儲存規則。In Incoming claim value, type one of the following URI values that are based on the actual authentication method URI that was used originally, click Finish, and then click OK to save the rule.

    2. 傳出宣告值,其中一個預設 URI 值在下表,您全新的慣用的驗證方法選擇而定,按完成,,然後按一下 [ [確定]儲存規則。In Outgoing claim value, type one of the default URI values in the following table, which depends on your new preferred authentication method choice, click Finish, and then click OK to save the rule.

實際的驗證方法Actual authentication method 對應 URICorresponding URI
使用者名稱和密碼驗證User name and password authentication http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/passwordhttp://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password
Windows 驗證Windows authentication http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/windowshttp://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/windows
使用 x.509 TLS 互加好友驗證TLS mutual authentication that uses X.509 certificates http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/tlsclienthttp://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/tlsclient
不使用 TLS X.509\ 式驗證X.509-based authentication that does not use TLS http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/x509http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/x509

建立規則

注意

除了表中的值可以使用其他 URI 值。Other URI values can be used in addition to the values in the table. 顯示中心 URI 值一個表格反映信賴接受預設 Uri。The URI values that are shown ion the previous table reflect the URIs that the relying party accepts by default.

其他參考資料Additional references

設定理賠要求規則Configure Claim Rules

檢查清單︰ 建立信賴的派對信任理賠要求規則Checklist: Creating Claim Rules for a Relying Party Trust

檢查清單︰ 建立理賠要求規則宣告提供者信任Checklist: Creating Claim Rules for a Claims Provider Trust

使用授權理賠要求規則When to Use an Authorization Claim Rule

宣告的角色The Role of Claims

宣告規則的角色The Role of Claim Rules