建立為宣告傳送 LDAP 屬性規則Create a Rule to Send LDAP Attributes as Claims

適用於:Windows Server 2016、Windows Server 2012 R2Applies To: Windows Server 2016, Windows Server 2012 R2

在 Active Directory 同盟服務 (AD FS) 宣告規則範本為使用傳送 LDAP 屬性,您可以建立將會從輕量型 Directory 存取通訊協定 (LDAP) 屬性市集中,例如為宣告信賴來傳送給 Active Directory 中選取屬性規則。Using the Send LDAP Attributes as Claims rule template in Active Directory Federation Services (AD FS), you can create a rule that will select attributes from a Lightweight Directory Access Protocol (LDAP) attribute store, such as Active Directory, to send as claims to the relying party. 例如,您可以使用此規則範本建立傳送 LDAP 屬性宣告規則,將會解壓縮驗證使用者屬性的值為顯示名稱telephoneNumber Active Directory 屬性,並為有兩個不同的傳出宣告將這些值。For example, you can use this rule template to create a Send LDAP Attributes as Claims rule that will extract attribute values for authenticated users from the displayName and telephoneNumber Active Directory attributes and then send those values as two different outgoing claims.

您也可以使用此規則傳送給所有使用者的群組成員資格。You can also use this rule to send all the user’s group memberships. 如果您想要傳送僅限個人群組成員資格,作為理賠要求規則範本傳送群組成員資格。If you want to send only individual group memberships, use the Send Group Membership as a Claim rule template. 您可以使用下列程序,以建立 AD FS 管理 snap\ 中理賠要求規則。You can use the following procedure to create a claim rule with the AD FS Management snap-in.

資格在系統管理員,或相當於、在本機電腦上的最低需求完成此程序。Membership in Administrators, or equivalent, on the local computer is the minimum required to complete this procedure. 檢視詳細資料使用適當的帳號,並群組成員資格,本機和網域預設群組Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups.

建立為索賠可以方信任 Windows Server 2016 傳送 LDAP 屬性規則To create a rule to send LDAP attributes as claims for a Relying Party Trust in Windows Server 2016

  1. 在伺服器管理員中,按一下工具,然後選取 [ AD FS 管理In Server Manager, click Tools, and then select AD FS Management.

  2. 主控台中在AD FS,按一下 [做為基礎的派對信任In the console tree, under AD FS, click Relying Party Trusts. 建立規則

  3. Right\ 按一下信任選取,然後再按一下編輯宣告發行原則Right-click the selected trust, and then click Edit Claim Issuance Policy. 建立規則

  4. 編輯宣告發行原則對話方塊中,在發行轉換規則新增規則以開始規則精靈。In the Edit Claim Issuance Policy dialog box, under Issuance Transform Rules click Add Rule to start the rule wizard. 建立規則

  5. 選取 [規則範本頁面上,在理賠要求規則範本,請選取以宣告傳送 LDAP 屬性從清單中,然後按一下下一步On the Select Rule Template page, under Claim rule template, select Send LDAP Attributes as Claims from the list, and then click Next.
    建立規則

  6. 設定規則在頁面上理賠要求規則名稱輸入顯示名稱此規則,選取屬性市集,然後選取 LDAP 屬性,並將它對應至傳出宣告類型。On the Configure Rule page under Claim rule name type the display name for this rule, select the Attribute Store, and then select the LDAP attribute and map it to the outgoing claim type. 建立規則

  7. 按一下完成按鈕。Click the Finish button.

  8. 編輯理賠要求規則對話方塊中,按[確定]來儲存規則。In the Edit Claim Rules dialog box, click OK to save the rule.

若要建立為適用於 Windows Server 2016 宣告提供者信任宣告傳送 LDAP 屬性規則To create a rule to send LDAP attributes as claims for a Claims Provider Trust in Windows Server 2016

  1. 在伺服器管理員中,按一下工具,然後選取 [ AD FS 管理In Server Manager, click Tools, and then select AD FS Management.

  2. 在主控台在AD FS,按一下 [宣告提供者信任In the console tree, under AD FS, click Claims Provider Trusts. 建立規則

  3. Right\ 按一下信任選取,然後再按一下編輯理賠要求規則Right-click the selected trust, and then click Edit Claim Rules. 建立規則

  4. 編輯理賠要求規則對話方塊中,在接受轉換規則[新增規則開始規則精靈。In the Edit Claim Rules dialog box, under Acceptance Transform Rules click Add Rule to start the rule wizard. 建立規則

  5. 選取 [規則範本頁面上,在理賠要求規則範本,請選取以宣告傳送 LDAP 屬性從清單中,然後按一下下一步On the Select Rule Template page, under Claim rule template, select Send LDAP Attributes as Claims from the list, and then click Next.
    建立規則

  6. 設定規則在頁面上理賠要求規則名稱輸入顯示名稱此規則,選取屬性市集,然後選取 LDAP 屬性,並將它對應至傳出宣告類型。On the Configure Rule page under Claim rule name type the display name for this rule, select the Attribute Store, and then select the LDAP attribute and map it to the outgoing claim type. 建立規則

  7. 按一下完成按鈕。Click the Finish button.

  8. 編輯理賠要求規則對話方塊中,按[確定]來儲存規則。In the Edit Claim Rules dialog box, click OK to save the rule.

建立與 Windows Server 2012 R2 的宣告傳送 LDAP 屬性規則To create a rule to send LDAP attributes as claims for Windows Server 2012 R2

  1. 在伺服器管理員中,按一下工具,然後選取 [ AD FS 管理In Server Manager, click Tools, and then select AD FS Management.

  2. 主控台中在AD FSAD FS\Trust 關係,按一下宣告提供者信任可以廠商信任,,然後按一下 [特定信任在清單中您想要用來建立本規則。In the console tree, under AD FSAD FS\Trust Relationships, click either Claims Provider Trusts or Relying Party Trusts, and then click a specific trust in the list where you want to create this rule.

  3. Right\ 按一下信任選取,然後再按一下編輯理賠要求規則Right-click the selected trust, and then click Edit Claim Rules. 建立規則

  4. 編輯理賠要求規則對話方塊中,選取其中一個下列索引標籤,根據您正在編輯,並設定您的規則信任想要建立單元,此規則,然後按一下新增規則以開始規則該組相關聯的規則精靈:In the Edit Claim Rules dialog box, select one the following tabs, depending on the trust that you are editing and which rule set you want to create this rule in, and then click Add Rule to start the rule wizard that is associated with that rule set:

    • 接受轉換規則Acceptance Transform Rules

    • 發行轉換規則Issuance Transform Rules

    • 發行授權規則Issuance Authorization Rules

    • 委派授權規則Delegation Authorization Rules
      建立規則

  5. 選取 [規則範本頁面上,在理賠要求規則範本,請選取以宣告傳送 LDAP 屬性從清單中,然後按一下下一步On the Select Rule Template page, under Claim rule template, select Send LDAP Attributes as Claims from the list, and then click Next.
    建立規則

  6. 設定規則在頁面上理賠要求規則名稱底下輸入顯示名稱,則本規則屬性網上商店選取Active Directory,並在對應的 LDAP 屬性,傳出宣告類型選取想要的LDAP 屬性和對應傳出宣告輸入drop\ 下拉式清單的類型。On the Configure Rule page under Claim rule name type the display name for this rule, under Attribute store select Active Directory, and under Mapping of LDAP attributes to outgoing claim types select the desired LDAP Attribute and corresponding Outgoing Claim Type types from the drop-down lists.

    您必須選取新 LDAP 屬性和傳出宣告輸入配對不同的資料列每個您想要這個規則的一部分發行的理賠要求的 Active Directory 屬性。You have to select a new LDAP attribute and outgoing claim type pair on a different row for each Active Directory attribute that you want to issue a claim for as part of this rule.
    建立規則

  7. 按一下完成按鈕。Click the Finish button.

  8. 編輯理賠要求規則對話方塊中,按[確定]來儲存規則。In the Edit Claim Rules dialog box, click OK to save the rule.

其他參考資料Additional references

設定理賠要求規則Configure Claim Rules

檢查清單︰ 建立信賴的派對信任理賠要求規則Checklist: Creating Claim Rules for a Relying Party Trust

檢查清單︰ 建立理賠要求規則宣告提供者信任Checklist: Creating Claim Rules for a Claims Provider Trust

使用授權理賠要求規則When to Use an Authorization Claim Rule

宣告的角色The Role of Claims

宣告規則的角色The Role of Claim Rules