適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

宣告的角色The Role of Claims

在 claims\ 為基礎的身分型號,宣告聯盟過程中扮演關鍵的角色,他們的關鍵元件判斷的所有 Web\ 架構的驗證及授權要求的結果。In the claims-based identity model, claims play a pivotal role in the federation process, They are the key component by which the outcome of all Web-based authentication and authorization requests are determined. 這種模式可讓組織確實投影數位身分和權利權限,或宣告,在 [安全性與企業範圍標準化的方式。This model enables organizations to securely project digital identity and entitlement rights, or claims, across security and enterprise boundaries in a standardized way.

宣告為何?What are claims?

最簡單的形式在宣告只是聲明\(例如名稱、的身分,group\),對主要用於授權 claims\ 型位於網際網路上的任何位置的應用程式存取的使用者。In its simplest form, claims are simply statements (for example, name, identity, group), made about users, that are used primarily for authorizing access to claims-based applications located anywhere on the Internet. 每個聲明對應至,會儲存在理賠要求。Each statement corresponds to a value that is stored in the claim.

如何為宣告的來源How claims are sourced

在 Active Directory 同盟服務 (AD FS) 同盟服務定義所宣告的換貨之間聯盟。The Federation Service in Active Directory Federation Services (AD FS) defines which claims are exchanged between federated partners. 不過,它可以執行此動作之前必須第一次填入或來源主張擷取或是計算的值。However, before it can do this it must first populate or source the claim with either a retrieved value or a calculated value. 每個理賠要求值代表使用者、群組中或實體的值,而為來源以兩種方式:Each claim value represents a value of a user, group, or entity and is sourced in one of two ways:

  1. 當構成理賠要求擷取值從屬性網上商店,例如屬性的值銷售部門擷取的 Active Directory 帳號屬性時。When the value that makes up the claim is retrieved from an attribute store, for example, when an attribute value of Sales Department is retrieved from the properties of an Active Directory user account. 如需詳細資訊,請查看的屬性商店角色For more information, see The Role of Attribute Stores.

  2. 當的價值,連入宣告會轉換成另一個值的邏輯以規則為基礎。When the value of an incoming claim is transformed into another value based on the logic expressed in a rule. 例如,連入時宣告網域系統管理員的值與會轉換成新的系統管理員的值做為傳出宣告傳送之前。For example, when an incoming claim with the value of Domain Admins is transformed into a new value of Administrators before it is sent as an outgoing claim. 如需詳細資訊,請查看的理賠要求規則角色For more information, see The Role of Claim Rules.

宣告可以包含例如 e-電子郵件地址、使用者主體名稱 (UPN)、群組成員資格及其他 account 屬性的值。Claims can include values such as an e-mail address, User Principal Name (UPN), group membership, and other account attributes.

宣告 flow 的方式How claims flow

其他對象依賴索賠項目,才能執行這些裝載 Web\ 型應用程式授權工作值。Other parties rely on the values of the claims to perform authorization tasks for Web-based applications that they host. 這些派對稱為信賴派對中 snap\ AD FS 管理。These parties are referred to as relying parties in the AD FS Management snap-in. 聯盟服務負責仲介許多不同的對象之間信任。The Federation Service is responsible for brokering trust between many disparate parties. 它的設計目的是處理信任的交換宣告從一開始來源宣告,也稱為組織的方向,宣告提供者snap\ 單元,信賴 AD FS 管理。It is designed to process and flow the trusted exchange of claims from an organization that initially sources the claims, also referred to as claims providers in the AD FS Management snap-in, to a relying party. 信賴然後使用下列宣告做出授權。A relying party then uses these claims to make authorization decisions.

使用此程序宣告流程稱為宣告管線The flow of claims using this process is known as the claims pipeline. 透過宣告管線宣告流程中有三個步驟:There are three steps in the flow of claims through the claims pipeline:

  1. 宣告宣告提供者接收的處理方式主張提供者信任的接受轉換規則。The claims that are received from the claims provider are processed by the acceptance transform rules on the claims provider trust. 本規則判斷哪一個宣告接受宣告提供者。These rules determine which claims are accepted from the claims provider.

  2. 接受轉換規則的輸出做為輸入發行授權規則。The output of the acceptance transform rules is used as input to the issuance authorization rules. 本規則判斷使用者是否可以存取信賴。These rules determine whether the user is permitted to access the relying party.

  3. 接受轉換規則的輸出做為規則發行轉換輸入。The output of the acceptance transform rules is used as input to the issuance transform rules. 本規則判斷將被傳送至信賴主張。These rules determine the claims that will be sent to the relying party.

如需詳細資訊,請查看宣告管線的角色For more information, see The Role of the Claims Pipeline

宣告發行的方式How claims are issued

當您撰寫理賠要求規則時,連入宣告理賠要求規則的來源將視您是否信任宣告提供者或信賴的派對信任撰寫規則。When you write claim rules, the source of the incoming claims for the claim rules varies based on whether you are writing rules on a claims provider trust or a relying party trust. 當您撰寫宣告提供者信任理賠要求規則時,連入宣告是宣告給受信任的宣告提供者同盟服務。When you write claim rules for a claims provider trust, the incoming claims are the claims sent from the trusted claims provider to the Federation Service. 當您撰寫信賴的派對信任規則時,連入宣告是理賠要求規則的提供者適用宣告信任的輸出主張。When you write rules for a relying party trust, the incoming claims are the claims that are output by the claim rules of the applicable claims provider trust. 如需有關傳入宣告和傳出宣告,請查看宣告管線的角色角色宣告引擎的For more information about incoming claims and outgoing claims, see The Role of the Claims Pipeline and The Role of the Claims Engine.

有哪些類型理賠要求?What are claim types?

宣告類型提供宣告值操作。A claim type provides context for the claim value. 這通常表示統一資源識別碼 (URI) 為。It is usually expressed as a Uniform Resource Identifier (URI). AD FS 可支援任何宣告類型,且宣告類型下表中的預設設定。AD FS can support any claim type, and it is configured with the claim types in the following table by default.

名稱Name 描述Description URIURI
E-電子郵件地址E-Mail Address 使用者 e-電子郵件地址The e-mail address of the user http:////schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddresshttp://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
名字Given Name 指定的使用者名稱The given name of the user http:////schemas.xmlsoap.org/ws/2005/05/identity/claims/givennamehttp://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
名稱Name 獨特的使用者名稱The unique name of the user http:////schemas.xmlsoap.org/ws/2005/05/identity/claims/namehttp://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
UPNUPN 使用者主體名稱 (UPN) 的使用者The user principal name (UPN) of the user http:////schemas.xmlsoap.org/ws/2005/05/identity/claims/upnhttp://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn
一般的名稱Common Name 一般的使用者名稱The common name of the user http:////schemas.xmlsoap.org/claims/CommonNamehttp://schemas.xmlsoap.org/claims/CommonName
AD FS 1.x E-電子郵件地址AD FS 1.x E-Mail Address 相互操作 AD FS 1.1 或 ADFS 1.0 時的使用者 e-電子郵件地址The e-mail address of the user when interoperating with AD FS 1.1 or ADFS 1.0 http:////schemas.xmlsoap.org/claims/EmailAddresshttp://schemas.xmlsoap.org/claims/EmailAddress
群組Group 群組的使用者的成員A group that the user is a member of http:////schemas.xmlsoap.org/claims/Grouphttp://schemas.xmlsoap.org/claims/Group
AD FS 1.x UPNAD FS 1.x UPN UPN 的相互操作 AD FS 1.1 或 ADFS 1.0 時的使用者The UPN of the user when interoperating with AD FS 1.1 or ADFS 1.0 http:////schemas.xmlsoap.org/claims/UPNhttp://schemas.xmlsoap.org/claims/UPN
角色Role 使用者的角色A role that the user has http:////schemas.microsoft.com/ws/2008/06/identity/claims/rolehttp://schemas.microsoft.com/ws/2008/06/identity/claims/role
姓氏Surname 姓氏的使用者The surname of the user http:////schemas.xmlsoap.org/ws/2005/05/identity/claims/surnamehttp://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
PPIDPPID 使用者私人識別碼The private identifier of the user http:////schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifierhttp://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier
名稱 IdentifierName Identifier SAML 的使用者名稱 identifierThe SAML name identifier of the user http:////schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifierhttp://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
驗證方法Authentication Method 用來驗證使用者的方法The method used to authenticate the user http:////schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethodhttp://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod
拒絕僅限群組 SIDDeny Only Group SID 僅限 deny\ SID 使用者群組The deny-only group SID of the user http:////schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysidhttp://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
拒絕只主要 SIDDeny only primary SID 僅限 deny\ 使用者主要 SIDThe deny-only primary SID of the user http:////schemas.microsoft.com/ws/2008/06/identity/claims/denyonlyprimarysidhttp://schemas.microsoft.com/ws/2008/06/identity/claims/denyonlyprimarysid
拒絕主要群組 SIDDeny only primary group SID 僅限 deny\ 主要 SID 使用者群組The deny-only primary group SID of the user http:////schemas.microsoft.com/ws/2008/06/identity/claims/denyonlyprimarygroupsidhttp://schemas.microsoft.com/ws/2008/06/identity/claims/denyonlyprimarygroupsid
SID 群組Group SID 使用者的 SID 群組The group SID of the user http:////schemas.microsoft.com/ws/2008/06/identity/claims/groupsidhttp://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
主要群組 SIDPrimary group SID 主要群組 SID 的使用者The primary group SID of the user http:////schemas.microsoft.com/ws/2008/06/identity/claims/primarygroupsidhttp://schemas.microsoft.com/ws/2008/06/identity/claims/primarygroupsid
主要 SIDPrimary SID 使用者的主要 SIDThe primary SID of the user http:////schemas.microsoft.com/ws/2008/06/identity/claims/primarysidhttp://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid
Windows account 名稱Windows account name 網域 account 的形式的使用者名稱\The domain account name of the user in the form of \ http:////schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountnamehttp://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname

有哪些描述理賠要求?What are claim descriptions?

宣告描述代表宣告類型 AD FS 支援,且可能發行聯盟中繼資料中的清單。Claim descriptions represent a list of claims types that AD FS supports and that may be published in federation metadata. 一個表格中所提到宣告類型被設定為 snap\ 中 AD FS 管理宣告描述。The claim types mentioned in the previous table are configured as claims descriptions in the AD FS Management snap-in.

AD FS 設定資料庫中儲存的理賠要求描述,將會發行至聯盟中繼資料的收藏。The collection of claim descriptions that will be published to federation metadata is stored in the AD FS configuration database. 這些主張使用各種不同的元件同盟服務的描述。These claim descriptions are used by various components of the Federation Service.

每個宣告描述包含宣告類型 URI、名稱、發行狀態,以及描述。Each claim description includes a claim type URI, name, publishing state, and description. 您可以使用管理宣告描述收集取得描述節點 snap\ 中 AD FS 管理。You can manage the claim description collection by using the Claim Descriptions node in the AD FS Management snap-in. 您可以修改發行宣告描述 snap\ 中使用的狀態。You can modify the publishing state of a claim description using the snap-in. 可使用下列設定:The following settings are available:

  • 將此宣告聯盟中繼資料中發行為可接受此同盟服務理賠要求輸入(Publish as Accepted)-表示將接受從其他宣告提供者,此同盟服務宣告類型。Publish this claim in federation metadata as a claim type that this Federation Service can accept (Publish as Accepted)—Indicates the claim types that will be accepted from other claims providers by this Federation Service.

  • 將此宣告聯盟中繼資料中發行為此同盟服務可以傳送理賠要求輸入(Publish as Sent)-表示提供此同盟服務宣告類型。Publish this claim in federation metadata as a claim type that this Federation Service can send (Publish as Sent)—Indicates the claim types that are offered by this Federation Service. 這些是同盟服務是願意傳送的發行給其他人宣告類型。These are the claim types the Federation Service publishes to others as those it is willing to send. 宣告提供者所傳送的實際理賠要求類型通常子集這份清單。The actual claim types sent by the claims provider are often a subset of this list.

如需有關如何將發行狀態宣告類型的設定,請查看需要新增描述取得中的 AD FS 部署。For more information about how to set the publishing state of a claim type, see Add a Claim Description in the AD FS Deployment Guide.

當產生聯盟中繼資料When generating Federation Metadata

聯盟中繼資料包含標示為發行的所有理賠要求描述。Federation Metadata includes all the claim descriptions that are marked for publishing.

當處理宣告規則When claims rules are processed

當您保留宣告描述設定的資訊時,是讓您設定規則宣告有關更容易。When you keep configuration information about claims descriptions, it is easier for you to configure rules about claims. 如需理賠要求規則可用宣告提供者組織中相關資訊,的角色的取得規則For more information about the claim rules that can be used in the claims provider organization, see The Role of Claim Rules.