判斷理賠要求規則範本使用類型Determine the Type of Claim Rule Template to Use

適用於:Windows Server 2016、Windows Server 2012 R2Applies To: Windows Server 2016, Windows Server 2012 R2

重點 Active Directory 同盟服務 (AD FS) 基礎結構的設計判斷一組完整的理賠要求規則-的對應取得您應該建立這些使用規則範本和 — 聯盟與您的組織會參與每個協力廠商的。An important part of designing an Active Directory Federation Services (AD FS) infrastructure is determining the complete set of claim rules—and which corresponding claim rule templates you should use to create them—for each partner that will participate in federation with your organization. 您使用理賠要求規則範本 AD FS 管理 snap\ 中建立規則。You create rules by using claim rule templates in the AD FS Management snap-in.

只能與一聯盟信任相關聯理賠要求規則您設定的每個設定。Each set of claim rules you configure can only be associated with one federated trust. 這表示您無法建立一個信任一組規則,他們使用您同盟服務中其他信任。This means that you cannot create a set of rules on one trust and use them for other trusts in your Federation Service. 改為您可以輕鬆地建立規則從宣告更快速地協助產生一組想在每個聯盟協力廠商與您的組織同意宣告規則範本。Instead you can easily create rules from claim rule templates to more quickly help produce a desired set of claims that are agreed upon between each federated partner and your organization.

如需有關規則規則範本,請查看的理賠要求規則角色For more information about rules and rule templates, see The Role of Claim Rules.

判斷類型理賠要求規則範本,您應該會使用您開始之前,請考慮將下列問題:Before you begin to determine the types of claim rule templates you should use, consider the following questions:

  • 有哪些宣告將會提供您信任的宣告提供者嗎?What claims will be provided by your trusted claims providers?

  • 您信任的每個宣告提供者所宣告?What claims do you trust from each claims provider?

  • 哪些宣告所需的信任此同盟服務信賴派對?What claims are required by the relying parties that trust this Federation Service?

  • 宣告哪些您願意洩露以每個信賴嗎?What claims are you willing to divulge to each relying party?

  • 哪些使用者應該會有的存取權的每個信賴?Which users should have access to each relying party?

回答這些問題可協助您計畫透明取得規則設計。Answering these questions will help you plan a solid claim rule design. 將也會協助您建立平滑授權存取控制策略和推出期間,讓您的部署小組更有效率。It will also assist you in creating a smooth authorization and access control strategy and make your deployment team more efficient during the rollout.

您可以根據您的企業環境深入了解以選取 [規則範本類型下一節需要。In this next section you can learn about the type of rule templates to select for your environment based on your business needs.

宣告規則範本類型Claim rule template types

下表描述所有類型的您可以建立規則使用 AD FS 管理 snap\ 中使用的優點範本輸入到另一個理賠要求規則範本。The following table describes all of the types of claim rule templates that you can use to create rules using the AD FS Management snap-in, and the benefits of using one template type over another.

規則範本類型Rule template type 描述Description 優點Advantages 缺點Disadvantages
通過或篩選連入宣告Pass Through or Filter an Incoming Claim 用來建立通過所有宣告值,選取的宣告類型或篩選依據宣告值,以便僅選取的宣告類型某些宣告值會都通過宣告規則。Used to create a rule that will pass through all claim values for a selected claim type or filter claims based on the claim values so that only certain claim values for a selected claim type will pass through.

如需詳細資訊,請查看使用傳遞透過或篩選理賠要求規則For more information, see When to Use a Pass Through or Filter Claim Rule.
-可以用來選取接受或發出特定宣告變更- Can be used to select particular claims to be accepted or issued unchanged -宣告無法變更輸入和值。- Claim type and value cannot be changed
轉換輸入宣告Transform an Incoming Claim 用來建立規則,可以選取連入宣告並將它對應至不同宣告類型或地圖它理賠要求的值為新理賠要求值。Used to create a rule that can select an incoming claim and map it to a different claim type or map its claim value to a new claim value.

如需詳細資訊,請查看使用轉換理賠要求規則For more information, see When to Use a Transform Claim Rule.
-用以標準化宣告類型或值- Can be used to normalize claim types or values
-可以取代 e\ 郵件的尾碼連入宣告- Can replace an e-mail suffix of an incoming claim
-更複雜字串更換商品需要自訂規則- More complex string replacements require a custom rule
傳送 LDAP 屬性為宣告Send LDAP Attributes as Claims 用來建立將傳送至信賴宣告 LDAP 屬性市集從選取屬性規則。Used to create a rule that will select attributes from an LDAP attribute store to send as claims to the relying party.

如需詳細資訊,請查看使用傳送 LDAP 屬性宣告規則以For more information, see When to Use a Send LDAP Attributes as Claims Rule.
-從任何廣告 DS\ 日 AD LDS 屬性市集宣告可資料來源- Can source claims from any AD DS/AD LDS attribute store
-使用單一規則可以發行多宣告- Multiple claims can be issued using a single rule
效能 – slow account 搜尋結果- Performance – slow as a result of account lookup
-無法使用查詢自訂 LDAP 篩選- Cannot use a custom LDAP filter for querying
為理賠要求傳送群組成員資格Send Group Membership as a Claim 用來建立可傳送指定的宣告類型與值使用者時的 Active Directory 安全性群組成員規則。Used to create a rule that can send a specified claim type and value when a user is a member of an Active Directory security group. 將會使用此規則,根據您所選取的群組傳送單一理賠要求。Only a single claim will be sent using this rule, based on the group that you select.

如需詳細資訊,請查看使用傳送群組成員資格理賠要求規則以For more information, see When to Use a Send Group Membership as a Claim Rule.
-發行群組宣告 – 不 account 查詢快速效能- Fast performance for issuing group claims – no account lookup 使用者必須 Active Directory 本機群組成員- User must be a member of a local Active Directory group
傳送主張使用自訂規則Send Claims Using a Custom Rule 用來建立,以提供更多 [進階的選項] 比一般規則範本自訂規則。Used to create a custom rule that will provide more advanced options than a standard rule template. 您撰寫 AD FS 使用的自訂規則取得規則語言。You write custom rules with the AD FS claim rule language.

如需詳細資訊,請查看使用自訂理賠要求規則For more information, see When to Use a Custom Claim Rule.
-可以用來來源 SQL 屬性網上商店的宣告- Can be used to source claims from an SQL attribute store
-可用來指定自訂 LDAP 篩選- Can be used to specify a custom LDAP filter
-用以發出 PPID- Can be used to issue a PPID
-可以搭配自訂屬性網上商店- Can be used with a custom attribute store
-可用來新增輸入的宣告設定,才能宣告- Can be used to add claims only to the input claim set
-可以用來傳送宣告根據多個連入宣告- Can be used to send claims based on more than one incoming claim
-更難設定 -可能需要一些時間道最初深入瞭解理賠要求規則語言- More difficult to configure - Some ramp up time may be needed to initially gain knowledge of the claim rule language
允許或拒絕根據連入宣告使用者Permit or Deny Users Based on an Incoming Claim 用來建立規則允許或拒絕信賴,根據類型及值,連入理賠要求的使用者存取。Used to create a rule that will permit or deny access by users to the relying party, based on the type and value of an incoming claim.

如需詳細資訊,請查看使用授權理賠要求規則For more information, see When to Use an Authorization Claim Rule.
-簡化授權程序- Simplifies the authorization process -需要只有一個宣告類型,另一個取得值指定- Requires that only one claim type and one claim value be specified
-不支援宣告值對應模式- Does not support pattern matching for claim values
允許所有使用者Permit All Users 用來建立,允許所有使用者存取信賴規則。Used to create a rule that will permit all users to access the relying party.

如需詳細資訊,請查看使用授權理賠要求規則For more information, see When to Use an Authorization Claim Rule.
-簡單設定- Simple to configure -不太安全比使用允許] 或 [拒絕使用者型連入宣告範本- Less secure than using the Permit or Deny Users Based on an Incoming Claim template