適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

宣告規則的角色The Role of Claim Rules

在 Active Directory 同盟服務 (AD FS) 同盟服務的整體功能是發行包含一組宣告預付碼。The overall function of the Federation Service in Active Directory Federation Services (AD FS) is to issue a token that contains a set of claims. AD FS 接受並再問題所宣告相關受到理賠要求規則。The decision regarding what claims AD FS accepts and then issues is governed by claim rules.

有哪些規則理賠要求?What are claim rules?

宣告規則表示商務邏輯操作,將需要一或多個傳入宣告套用條件的執行個體 \ (如果 x 然後 y\) 和產生依據條件的參數的一或多個出的宣告。A claim rule represents an instance of business logic that will take one or more incoming claims, apply conditions to them (if x then y) and produce one or more outgoing claims based on the condition parameters. 如需傳入的和傳出宣告,請查看宣告角色For more information about incoming and outgoing claims, see The Role of Claims.

當您需要執行企業邏輯,可以將控制宣告管線索賠項目時,您可以使用理賠要求規則。You use claim rules when you need to implement business logic that will control the flow of claims through the claims pipeline. 更多的邏輯概念宣告管線時 end\ to\ 高階處理程序適用於這一條宣告,理賠要求規則的實際管理項目,您可以使用來自訂流程宣告透過宣告發行處理程序。While the claims pipeline is more a logical concept of the end-to-end process for flowing claims, claim rules are an actual administrative element that you can use to customize the flow of claims through the claims issuance process.

如需宣告管線的詳細資訊,請查看的角色宣告引擎的For more information about the claims pipeline, see The Role of the Claims Engine.

宣告規則提供下列優點:Claim rules provide the following benefits:

  • 提供機制套用企業 run\ 階段邏輯信任宣告宣告提供者的系統管理員Provide a mechanism for administrators to apply run-time business logic for trusting claims from claims providers

  • 提供機制來定義所宣告推出給信賴的系統管理員Provide a mechanism for administrators to define what claims are released to relying parties

  • 想要允許或拒絕存取特定使用者的系統管理員提供豐富且詳細 claims\ 為基礎的授權的功能Provide rich and detailed claims-based authorization capabilities to administrators who want to permit or deny access to specific users

宣告規則的處理方式How claim rules are processed

宣告規則處理宣告管線使用宣告引擎Claim rules are processed through the claims pipeline using the claims engine. 宣告引擎是連入宣告出示使用者的設定會檢查同盟服務的元件邏輯,而且會然後,根據每個規則邏輯操作,產生輸出集索賠項目。The claims engine is a logical component of the Federation Service that examines the set of incoming claims presented by a user, and will then, depending on the logic in each rule, produce an output set of claims.

在一起,宣告規則引擎和設定的相關聯的特定聯盟信任規則判斷是否連入宣告應通過他們、 符合特定的條件篩選掉或之前同盟服務發行為傳出宣告轉換成索賠項目全新的一組理賠要求。Together, the claims rule engine and the set of claim rules associated with a given federated trust determine whether incoming claims should be passed through as they are, filtered to meet a specific condition’s criteria or transformed into an entirely new set of claims before they are issued as outgoing claims by your Federation Service.

如需有關這個程序,請查看的角色宣告引擎的For more information about this process, see The Role of the Claims Engine.

宣告規則範本為何?What are claim rule templates?

AD FS 包含一組預先定義的理賠要求規則範本,設計可協助您輕鬆地選取並建立特定的企業需要您的最適合理賠要求規則。AD FS includes a predefined set of claim rule templates that are designed to help you easily select and create the most appropriate claim rules for your particular business need. 取得範本只能理賠要求規則的建立程序期間規則。Claim rule templates are only used during the claim rule creation process.

AD FS snap\ 中管理,在規則只能建立使用理賠要求規則範本。In the AD FS Management snap-in, rules can only be created using claim rule templates. 使用 snap\ 中選取 [宣告規則範本、 輸入規則邏輯操作必要的資料並將它儲存至資料庫設定之後,將會 \ (從該點 forward) 中所參照的 UI 以理賠要求規則。After you use the snap-in to select a claim rule template, input the necessary data for the rule logic and save it to the configuration database, it will be (from that point forward) referred to in the UI as a claim rule.

如何取得 [規則範本工作How claim rule templates work

第一眼理賠要求規則範本看起來似乎只要輸入的表單 snap\ 單元所收集的資料與程序特定邏輯連入宣告上提供。At first glance, claim rule templates appear to be just input forms provided by the snap-in to collect data and process specific logic on incoming claims. 但是,在更多詳細的層級,取得所需之取得規則語言架構組成的基底的邏輯一定要快速而不需要知道語言可感知建立規則規則範本存放區。However, at a much more detailed level, claim rule templates store the necessary claim rule language framework that make up the base logic necessary for you to quickly create a rule without needing to know the language intimately.

每個使用者介面中所提供的範本 (UI) 代表預先填入理賠要求規則語言的語法最常所需的系統管理工作。Each template that is provided in the user interface (UI) represents a prepopulated claim rule language syntax, based on the most commonly required administrative tasks. 有一個規則範本不過,這是例外。There is one rule template however, that is the exception. 此範本稱為自訂規則範本。This template is referred to as the custom rule template. 使用此範本語法不會預先填入。With this template, no syntax is prepopulated. 改為直接必須製作宣告規則語言語法本文中的使用規則宣告語言語法理賠要求規則範本表單。Instead you must directly author the claim rule language syntax in the body of the claim rule template form using the claim rule language syntax.

如需有關如何使用理賠要求規則語言語法的詳細資訊,請查看角色取得規則語言的中的 AD FS 部署。For more information about how to use the claim rule language syntax, see The Role of the Claim Rule Language in the AD FS Deployment Guide.


您可以檢視相關聯規則隨時即可理賠要求規則語言檢視規則語言按鈕理賠要求規則的屬性。You can view the claim rule language associated with a rule at any time by clicking the View Rule Language button on the properties of a claim rule.

如何建立理賠要求規則How to create a claim rule

理賠要求規則同盟服務中每個聯盟的信任關係分開建立並不會在多個信任共用。Claim rules are created separately for each federated trust relationship within the Federation Service and are not shared across multiple trusts. 您可以從理賠要求規則範本建立規則、 從頭開始製作宣告規則語言的使用規則或使用 Windows PowerShell 來自訂規則。You can either create a rule from a claim rule template, start from scratch by authoring the rule using the claim rule language or use Windows PowerShell to customize a rule.

所有的這些選項來為您提供選擇的特定案例適當的方法的處於並存。All of these options coexist to provide you with the flexibility of choosing the appropriate method for a given scenario. 如需如何建立理賠要求規則的詳細資訊,請查看設定宣告規則中的廣告 FSDeployment。For more information about how to create a claim rule, see Configuring Claim Rules in the AD FSDeployment Guide.

使用理賠要求規則範本Using claim rule templates

取得範本只能理賠要求規則的建立程序期間規則。Claim rule templates are only used during the claim rule creation process. 您可以使用下列範本任一建立理賠要求規則:You can use any of the following templates to create a claim rule:

  • 通過或篩選連入宣告Pass Through or Filter an Incoming Claim

  • 轉換輸入宣告Transform an Incoming Claim

  • 傳送 LDAP 屬性為宣告Send LDAP Attributes as Claims

  • 為理賠要求傳送群組成員資格Send Group Membership as a Claim

  • 傳送主張使用自訂規則Send Claims Using a Custom Rule

  • 允許或拒絕根據連入宣告使用者Permit or Deny Users Based on an Incoming Claim

  • 允許所有使用者Permit All Users

如需詳細資訊,每個項目描述取得 [規則範本,查看判斷類型的取得規則範本使用For more information describing each of these claim rule templates, see Determine the Type of Claim Rule Template to Use.

使用語言理賠要求規則Using the claim rule language

商務規則超出範圍的標準理賠要求規則範本,您可以使用自訂規則範本快速一系列的使用規則宣告語言複雜的邏輯條件。For business rules that are beyond the scope of standard claim rule templates, you can use a custom rule template to express a series of complex logic conditions using the claim rule language. 如需有關如何使用規則自訂的詳細資訊,請查看使用自訂理賠要求規則For more information about using a custom rule, see When to Use a Custom Claim Rule.

使用 Windows PowerShellUsing Windows PowerShell

您也可以使用 Windows PowerShell 使用 ADFSClaimRuleSet cmdlet 物件,來建立,或管理中 AD FS 規則。You can also use the ADFSClaimRuleSet cmdlet object with Windows PowerShell to create or administer rules in AD FS. 如需有關如何使用 Windows PowerShell 使用下列 cmdlet 的詳細資訊,請查看使用 Windows PowerShell AD FS 管理For more information about how you can use Windows PowerShell with this cmdlet, see AD FS Administration with Windows PowerShell.

宣告規則集合為何?What is a claim rule set?

如下所示,宣告規則集合是一或多個規則宣告宣告規則引擎的處理方式將會定義特定聯盟信任的群組。As shown in the following illustration, a claim rule set is a grouping of one or more rules for a given federated trust that will define how claims will be processed by the claims rule engine. 連入宣告收到同盟服務時宣告規則引擎適用於指定適當宣告規則集合的邏輯。When an incoming claim is received by the Federation Service the claim rule engine applies the logic specified by the appropriate claim rule set. 它是邏輯的從每個規則宣告發行針對特定信任完整的方式會判斷設定中最終。It is the final sum of the logic from each rule in the set that will determine how claims will be issued for a given trust in its entirety.

AD FS 角色

宣告引擎順序特定的規則集中處理理賠要求規則。Claim rules are processed by the claims engine in chronological order within a given rule set. 因為一個規則的輸出可以當做下一個集中規則的輸入,很重要,此訂單。This order is important, because the output of one rule can be used as the input to the next rule in the set.

有哪些理賠要求規則設定類型?What are claim rule set types?

宣告規則設定類型是邏輯加以分類來辨識宣告發行、 授權或接受適用於相關聯信任宣告規則集合是否聯盟信任的區段。A claim rule set type is a logical segment of a federated trust that categorically identifies whether the claim rule set associated with the trust will be used for claims issuance, authorization or acceptance. 每個聯盟的信任可以有一或多個理賠要求規則設定類型的關聯,根據信任所使用的類型。Each federated trust can have one or more claim rule set types associated with it, depending on the type of trust that is used.

下表描述宣告規則集合各種並解釋宣告提供者信任或信賴廠商信任的關係。The following table describes the various types of claim rule sets and explains its relation with either a claims provider trust or relying party trust.

宣告規則設定類型Claim rule set type 描述Description 使用上Used on
接受轉換規則設定Acceptance transform rule set 宣告規則特定上所使用的一組宣告連入宣告將會被接受宣告提供者組織的和傳出宣告將會被傳送至信賴的派對信任的指定的提供者信任。A set of claim rules that you use on a particular claims provider trust to specify the incoming claims that will be accepted from the claims provider organization and the outgoing claims that will be sent to the relying party trust.

用於來源此規則集,連入宣告將會是輸出宣告提供者組織中所指定的 \ [發行轉換規則宣告。The incoming claims that will be used to source this rule set, will be the claims that are output by the issuance transform rule set as specified in the claims provider organization.

根據預設,宣告提供者信任節點包含理賠要求提供者信任名為Active Directory ,用來表示來源屬性在市集中接受轉換規則設定。By default, the claims provider trust node contains a claim provider trust named Active Directory which is used to represent the source attribute store for the acceptance transform rule set. 這個信任物件用來表示從您的同盟服務連接到您的網路上的 Active Directory 資料庫。This trust object is used to represent the connection from your Federation Service to an Active Directory database on your network. 這個預設信任是項目處理宣告 Active Directory 由已驗證的使用者而無法刪除。This default trust is what processes claims for users that have been authenticated by Active Directory and it cannot be deleted.
宣告提供者信任Claims provider trusts
發行轉換規則設定Issuance Transform Rule Set 一組理賠要求規則指定將發給信賴宣告信賴的派對信任上所使用。A set of claim rules that you use on a relying party trust to specify the claims that will be issued to the relying party.

用於來源此規則集,連入宣告一開始將接受轉換規則輸出主張。The incoming claims that will be used to source this rule set, will initially be the claims that are output by the acceptance transform rules.
可以廠商信任Relying party trusts
發行授權規則設定Issuance Authorization Rule Set 一組理賠要求規則指定的使用者可以接收信賴權杖信賴的派對信任上所使用。A set of claim rules that you use on a relying party trust to specify the users that will be permitted to receive a token for the relying party.

本規則判斷使用者是否可接收到信賴的信賴,因此,存取宣告。These rules determine whether a user can receive claims for a relying party and, therefore, access to the relying party.

指定 \ [發行授權規則,否則所有使用者將都無法存取預設。Unless you specify an issuance authorization rule, all users will be denied access by default.
可以廠商信任Relying party trusts
委派授權規則設定Delegation Authorization Rule Set 一組理賠要求規則指定的使用者可以做為信賴其他使用者的代理人信賴的派對信任上所使用。A set of claim rules that you use on a relying party trust to specify the users that will be permitted to act as delegates for other users to the relying party.

本規則判斷是否允許要求模擬時仍找出要求傳送給信賴權杖中的使用者。These rules determine whether the requester is permitted to impersonate a user while still identifying the requester in the token that is sent to the relying party.

除非您指定發行授權規則,不使用者可以當做代理人預設。Unless you specify an issuance authorization rule, no users can act as delegates by default.
可以廠商信任Relying party trusts
模擬授權規則設定Impersonation Authorization Rule Set 一組理賠要求您使用 Windows PowerShell 來判斷使用者是否設定規則可以完全模擬信賴的其他使用者。A set of claim rules that you configure using Windows PowerShell to determine whether a user can fully impersonate another user to the relying party.

本規則判斷模擬的使用者而不會傳送至信賴權杖中的要求檢測軍人是否允許要求。These rules determine whether the requester is permitted to impersonate a user without identifying the requester in the token that is sent to the relying party.

模擬另一位使用者這種方式,所以功能非常強大信賴並不知道正在模擬使用者。Impersonating another user in this way is a very powerful capability, because the relying party will not know that the user is being impersonated.
可以廠商信任Relying party trust

在您的組織中使用的適當理賠要求規則查看有關更多選取判斷類型的取得規則範本使用For more information about select the appropriate claim rules to use in your organization, see Determine the Type of Claim Rule Template to Use.