適用於:Windows Server 2016、Windows Server 2012 R2Applies To: Windows Server 2016, Windows Server 2012 R2

AD FS 中使用 Uri 的方式How URIs Are Used in AD FS

統一資源識別碼 (URI) 是用來做的唯一的字元字串。A Uniform Resource Identifier (URI) is a string of characters that is used as a unique identifier. AD FS,在 Uri 用來找出合作夥伴網路地址和設定物件。In AD FS, URIs are used to identify both partner network addresses and configuration objects. 當您用來找出合作夥伴網路位址,URI 都 URL。When used to identify partner network addresses, the URI is always a URL. 當您用來找出組態物件,URI 可能 URN 或 URL。When used to identify configuration objects, the URI may be a URN or a URL. 有關更一般 Uri,請查看RFC 2396RFC 3986For more general information about URIs, see RFC 2396 and RFC 3986.

為合作夥伴網路位址 UriURIs as partner network addresses

以下是最常由 AD FS 中的系統管理員的網路位址 Url。The following are the network address URLs that are most often handled by administrators in AD FS.

  • 聯盟服務,包括 WS-同盟、 SAML、 WS\ 信任、 聯盟中繼資料、 WS-MetadataExchange 隱私權和組織 Url 的 UrlThe URLs of the Federation Service, including WS-Federation, SAML, WS-Trust, Federation Metadata, WS-MetadataExchange, Privacy and Organization URLs

  • 信賴的派對信任,包括 WS-同盟、 SAML,以及聯盟中繼資料 Url 的 UrlThe URLs of a relying party trust, including WS-Federation, SAML, and Federation Metadata URLs

  • 宣告提供者信任,包括 WS-同盟、 SAML,以及聯盟中繼資料 Url 的 UrlThe URLs of a claims provider trust, including WS-Federation, SAML, and Federation Metadata URLs

做為物件識別碼 UriURIs as object identifiers

下表描述通常由 AD FS 管理員識別碼。The following table describes the identifiers that are most often handled by administrators in AD FS.

識別碼名稱Identifier name 描述Description 比較Comparisons
聯盟服務識別碼Federation Service identifier 找出同盟服務使用此識別碼。This identifier is used to identify the Federation Service. 使用這個同盟服務,以及宣告提供者,此同盟服務宣告問題宣告信賴派對使用它。It is used by relying parties that use claims from this Federation Service, as well as claims providers that issue claims to this Federation Service. 當使用者向宣告服務提供者,此聯盟要求宣告時,同盟服務識別碼將會用來找出所宣告的目標。When a user requests claims from a claims provider for this Federation Service, the Federation Service identifier will be used to identify the target for the claims.

當此同盟服務接收宣告宣告提供者時,就會檢查以確保宣告範圍它所尋找的項目同盟服務。When this Federation Service receives the claims from a claims provider, it will check to ensure the claims are scoped for it by looking for its Federation Service identifier.

信賴從這個同盟服務接收宣告,當信賴會檢查所宣告的發行者符合同盟服務識別碼。When a relying party is receiving claims from this Federation Service, the relying party will check that the issuer of the claims matches the Federation Service identifier.
可以廠商識別碼Relying party identifier 找出信賴此同盟服務使用此識別碼。This identifier is used to identify the relying party to this Federation Service. 發行宣告信賴來時使用它。It is used when issuing claims to the relying party. 當使用者向此同盟服務要求宣告信賴的時信賴的派對識別碼將會用來找出的信賴宣告應該會對應的。When a user requests claims from this Federation Service for the relying party, the relying party identifier will be used to identify the relying party for which the claims should be targeted. 完成此比較使用前置詞 (see below) 相符。This comparison is done using prefix matching (see below).

當信賴收到宣告時,就會檢查以確保宣告針對安全性權杖中的項目。When the relying party receives the claims, it will check for its identifier in the security token to ensure the claims are targeted for it.
宣告提供者識別碼Claims provider identifier 使用這個識別碼找出宣告此同盟服務提供者。This identifier is used to identify the claims provider to this Federation Service. 它是用來接收宣告宣告提供者。It is used when receiving claims from the claims provider. 當此同盟服務接收宣告宣告提供者時,此同盟服務會檢查所宣告的發行者符合宣告提供者識別碼。When this Federation Service is receiving claims from the claims provider, this Federation Service will check that the issuer of the claims matches the claims provider identifier.
宣告類型Claim type 使用這個識別碼來定義理賠要求的類型。This identifier is used to define the type of claim. 它會使用此同盟服務、 宣告提供者,以及時傳送和接收宣告信賴的派對。It is used by this Federation Service, claims providers, and relying parties when sending and receiving claims. 當同盟服務接收宣告宣告提供者時,對應的宣告提供者信任相關聯的理賠要求規則允許比較宣告類型及處理宣告的系統管理員。When the Federation Service receives claims from a claims provider, the claim rules associated with the corresponding claims provider trust allow the administrator to compare claim types and process claims. 信賴的派對信任相關聯的理賠要求規則也允許比較宣告類型退出宣告提供者信任規則,提供宣告的系統管理員,並選擇的發行宣告。The claim rules associated with a relying party trust also allow the administrator to compare claim types from the claims coming out of the claims provider trust rules, and decide which claims to issue.

符合信賴派對識別碼 URI 前置詞URI prefix matching for relying party identifiers

URI 的路徑語法階層組織和由所有分隔 」 \ 日 」 的字元或所有 」: 「 字元。The path syntax of a URI is organized hierarchically and is delimited by either all “/” characters or all “:”characters. 因此路徑可分成根據分隔字元路徑區段。Thus the path may be split into path sections based on the delimiting character. 當前置詞比對,每個區段必須符合規則根據完整相符項目 \ (這些規則管理 matches\ 的大小寫)。When prefix matching, each section must be a full match according to the matching rules (these rules govern the casing of matches). 如需符合規則,查看 RFC 的上述。For more information about matching rules, see the RFC’s mentioned above.

當信賴辨識要求同盟服務中時,AD FS 使用前置詞相符邏輯操作,判斷是否符合信賴廠商信任 AD FS 設定資料庫中。When a relying party is identified in a request to the Federation Service, AD FS uses prefix matching logic to determine if there is a matching relying party trust in the AD FS configuration database.

例如是否 AD FS 設定資料庫中的依賴派對識別碼 (URI1) 連入信賴派對識別碼前置詞要求 (URI2),接著必須符合下列:For example, if the relying party identifier in the AD FS configuration database (URI1) is a prefix to the relying party identifier in the incoming request (URI2), then the following must be true:

  • 結尾分隔字元 (slashes and colons) 路徑的區段或授權必須忽略Trailing delimiters (slashes and colons) of path sections or authorities must be ignored

  • 必須區分大小寫的完全符合 URI1 和 URI2 的配置,並授權的部分。The scheme and authority parts of URI1 and URI2 must be a case insensitive exact match

  • 每個路徑部分 URI1 必須完全符合 \ (根據區分大小寫 chosen\) URI2 相對路徑一節Each path section of URI1 must be an exact match (based on the case sensitivity chosen) to the corresponding path section of URI2

  • URI2 可能會有更多的路徑區段比 URI1,但 URI1 不能有更多的路徑區段 URI2 比URI2 may have more path sections than URI1, but URI1 must not have more path sections than URI2

  • URI1 不會有更多的路徑區段 URI2 比URI1 cannot have more path sections than URI2

  • 如果 URI1 查詢字串,必須符合完全為 URI2 查詢字串If URI1 has a query string, it must match exactly to a URI2 query string

  • 如果 URI1 片段,必須符合完全到 URI2 片段If URI1 has a fragment, it must match exactly to a URI2 fragment

下表會提供額外的範例。The following table provides additional examples.

可以廠商識別碼 AD FS 設定資料庫中Relying party identifier in AD FS configuration database 可以廠商識別碼接受要求訊息中Relying party identifier in request message 組態識別字要求識別碼相符項目嗎?Request identifier matches the configuration identifier? 原因Reason
http:////contoso.comhttp://contoso.com http:////contoso.comhttp://contoso.com 為 TRUETRUE 相符Exact match
http:////contoso.com/http://contoso.com/ http:////contoso.comhttp://contoso.com 為 TRUETRUE 忽略行尾斜線Trailing slashes are ignored
http:////contoso.comhttp://contoso.com http:////contoso.com/http://contoso.com/ 為 TRUETRUE 忽略行尾斜線Trailing slashes are ignored
http:////contoso.comhttp://contoso.com http:////contoso.com/hrhttp://contoso.com/hr 為 TRUETRUE URI1 已經不會路徑和相符項目配置和 URI2 權限URI1 has no path and matches scheme and authority to URI2
http:////contoso.com/hrhttp://contoso.com/hr http:////contoso.com/hr/webhttp://contoso.com/hr/web 為 TRUETRUE 第一次路徑區段符合、 URI1 有無第二個路徑一節First path sections match, URI1 has no second path section
http:////contoso.com/hrhttp://contoso.com/hr http:////contoso.com/hr/web/?m=thttp://contoso.com/hr/web/?m=t 為 TRUETRUE 上述相同的原因,查詢字串未變更任何項目Same reasons as above, query string doesn’t change anything
http:////contoso.com/hr/http://contoso.com/hr/ http:////contoso.com/hrw/mainhttp://contoso.com/hrw/main FALSEFALSE URI1 路徑區段 1 不符合 URI2 路徑區段 1URI1 path section 1 does not match URI2 path section 1
http:////contoso.com/hrhttp://contoso.com/hr http:////contoso.comhttp://contoso.com FALSEFALSE URI1 有更多的路徑區段 URI2 比URI1 has more path sections than URI2
http:////contoso.com/hrhttp://contoso.com/hr http:////contoso.com/hrwebhttp://contoso.com/hrweb FALSEFALSE 第一次路徑章節不相符First path sections do not match
http:////contoso.com/?m=thttp://contoso.com/?m=t http:////contoso.com/?m=fhttp://contoso.com/?m=f FALSEFALSE 查詢字串組件不相符Query string parts do not match
https://contoso.comhttps://contoso.com http:////contoso.comhttp://contoso.com FALSEFALSE 部分配置不相符Scheme parts do not match
http:////sts.contoso.comhttp://sts.contoso.com http:////contoso.comhttp://contoso.com FALSEFALSE 授權單位部分不符Authority parts do not match
http:////contoso.comhttp://contoso.com http:////sts.contoso.comhttp://sts.contoso.com FALSEFALSE 授權單位部分不符Authority parts do not match