家用領域探索自訂項目Home Realm Discovery Customization

適用於:Windows Server 2016、Windows Server 2012 R2Applies To: Windows Server 2016, Windows Server 2012 R2

AD FS client 第一次要求的資源時, 資源聯盟伺服器有領域 client 的任何資訊。When the AD FS client first requests a resource, the resource federation server has no information about the realm of the client. 資源聯盟伺服器會 AD FS 使用Client 領域探索頁面上,使用者從清單選取家用領域的位置。The resource federation server responds to the AD FS client with a Client Realm Discovery page, where the user selects the home realm from a list. 從宣告提供者信任的顯示名稱屬性填入清單值。The list values are populated from the display name property in the Claims Provider Trusts. 使用下列的 Windows PowerShell cmdlet 來修改及自訂 AD FS Home 領域探索體驗。Use the following Windows PowerShell cmdlets to modify and customize the AD FS Home Realm Discovery experience.

主要的領域

警告

請注意,會顯示為 [本機 Active Directory 宣告提供者名稱是同盟服務顯示名稱。Be aware that the Claims Provider name that shows up for local Active Directory is the federation service display name.

設定使用某些電子郵件尾碼身分提供者Configure Identity Provider to use certain email suffixes

組織可以聯盟使用多個宣告提供者。An organization can federate with multiple claims providers. AD FS 現在提供 in\ 隨功能的系統管理員清單尾碼,例如, @us.contoso.com, @eu.contoso.com,也就是支援宣告提供者,並讓它 suffix\ 型探索。AD FS now provides the in-box capability for administrators to list the suffixes, for example, @us.contoso.com, @eu.contoso.com, that is supported by a claims provider and enable it for suffix-based discovery. 使用此設定時,使用者可以輸入其組織帳號,並 AD FS 自動選取對應宣告提供者。With this configuration, end users can type in their organizational account, and AD FS automatically selects the corresponding claims provider.

若要設定的身分提供者 (IDP),例如fabrikam、 來使用特定的電子郵件尾碼,請使用下列 Windows PowerShell cmdlet 和語法。To configure an identity provider (IDP), such as fabrikam, to use certain email suffixes, use the following Windows PowerShell cmdlet and syntax.

Set-AdfsClaimsProviderTrust -TargetName fabrikam -OrganizationalAccountSuffix @("fabrikam.com";"fabrikam2.com")

設定可以依據身分提供者清單派對Configure an identity provider list per relying party

某些案例中,針對組織可能會想讓使用者只會看見的特定應用程式,以便子集宣告提供者會顯示主要領域探索頁面上的宣告提供者。For some scenarios, an organizations might want end users to only see the claims providers that are specific to an application so that only a subset of claims provider are displayed on the home realm discovery page.

若要設定可以依據 IDP 清單廠商 (RP),請使用下列的 Windows PowerShell cmdlet 和語法。To configure an IDP list per relying party (RP), use the following Windows PowerShell cmdlet and syntax.

Set-AdfsRelyingPartyTrust -TargetName claimapp -ClaimsProviderName @("Fabrikam","Active Directory")

略過內部網路 Home 領域探索Bypass Home Realm Discovery for the intranet

大部分的組織僅支援他們本機 Active Directory 中防火牆存取的使用者。Most organizations only support their local Active Directory for any user who accesses from inside their firewall. 在這些案例中,系統管理員可以設定略過內部網路家用領域探索 AD FS。In those cases, administrators can configure AD FS to bypass home realm discovery for the intranet.

若要略過內部 HRD,使用下列的 Windows PowerShell cmdlet 和語法。To bypass HRD for the intranet, use the following Windows PowerShell cmdlet and syntax.

Set-AdfsProperties -IntranetUseLocalClaimsProvider $true

重要

請注意,如果致敬身分提供者清單廠商已設定,即使有已經支援先前的設定,並從內部網路的使用者存取權,AD FS 仍會顯示主要領域探索 (HRD) 頁面。Please note that if an identity provider list for a relying party has been configured, even though the previous setting has been enabled and the user accesses from the intranet, AD FS still shows the home realm discovery (HRD) page. 在這種情形下略過 HRD,您必須確保的 「 Active Directory 」 也會新增到清單 IDP 此信賴的。To bypass HRD in this case, you have to ensure that "Active Directory" is also added to the IDP list for this relying party.

其他參考資料Additional references

AD FS 使用者登入自訂AD FS User Sign-in Customization