適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

宣告引擎的角色The Role of the Claims Engine

其高層級,在 Active Directory 同盟服務 (AD FS) 宣告引擎是 rule\ 型引擎專門用來提供及處理宣告要求同盟服務。At its highest level, the claims engine in Active Directory Federation Services (AD FS) is a rule-based engine that is dedicated to serving and processing claim requests for the Federation Service. 宣告引擎是負責規則集合的每個執行您所設定的聯盟的信任關係的所有,並將結果輸出,宣告管線同盟服務中的唯一實體。The claims engine is the sole entity within the Federation Service that is responsible for running each of the rule sets across all of the federated trust relationships you have configured and handing the output result over to the claims pipeline.

更多的邏輯概念宣告管線時的 end\ to\ 結束處理程序這一條宣告,理賠要求規則的自訂宣告流程宣告規則執行處理程序期間,您可以使用實際管理項目。While the claims pipeline is more a logical concept of the end-to-end process for flowing claims, claim rules are an actual administrative element that you can use to customize the flow of claims during the claim rules execution process. 如需管線程序,請查看的角色宣告管線的For more information about the pipeline process, see The Role of the Claims Pipeline.

如圖的接受傳入宣告 (acceptance rules),動作授權宣告要求 (authorization rules) 和發行傳出宣告 (issuance rules) 透過聯盟的信任關係您在組織中的所有理賠要求規則執行宣告引擎。As shown in the following illustration, the act of accepting incoming claims (acceptance rules), authorizing claims requesters (authorization rules) and issuing outgoing claims (issuance rules) through claim rules across all of the federated trust relationships in your organization is performed by the claims engine.

AD FS 角色

宣告規則執行處理程序Claim rules execution process

當您設定宣告提供者信任或信賴信任理賠要求規則的組織,可信任做為理賠要求規則 set(s) 為的連入宣告閘道管理員叫用套用所需來判斷是否發行任何主張和的發行宣告理賠要求規則邏輯操作,宣告引擎。When you configure a claims provider trust or relying party trust in your organization with claim rules, the claim rule set(s) for that trust act as a gatekeeper for incoming claims by invoking the claims engine to apply the necessary logic in the claim rules to determine whether to issue any claims and which claims to issue.

下一節列出每個步驟流程宣告透過宣告規則執行處理程序期間發生引擎。The following section outlines each of the steps that occur by the engine during the flow of claims through the claim rules execution process. 每個步驟,如下所示,就會發生的每個階段宣告管線程序中所述。Each of the steps as outlined below occurs for each stage described in the claims pipeline process. 包含下列步驟:These steps include:

  • 步驟 1 – 初始設定Step 1 – Initialization

  • 步驟 2 – 執行Step 2 – Execution

  • 步驟 3-執行結果Step 3 – Execution result

如需管線程序,請查看的角色宣告管線的For more information about the pipeline process, see The Role of the Claims Pipeline.

步驟 1 – 初始設定Step 1 – Initialization

宣告規則執行處理程序的第一個步驟,宣告引擎接受宣告傳入的第一次將它們新增到輸入宣告設定In the first step of the claim rules execution process, the claims engine accepts incoming claims by first adding them to the input claim set. 輸入的宣告設定很類似只要所需的處理程序會需要該資料,以便擷取可暫時儲存的資料用於記憶體中的快取。An input claim set is analogous to a cache in memory that is used to temporarily store data only as long as a required process requires that data to be made available for retrieval. 輸入的宣告組規則執行完成後,會捨棄的資料。The input claim set data is discarded after the rule execution finishes.

新增輸入宣告規則設定的設定來理賠要求Adding a claim to the input claim set for a rule set

需要暫時宣告資料儲存在記憶體時處理宣告規則集合相關聯的邏輯時輸入的宣告設定建立宣告引擎。The input claim set is created by the claims engine when it needs to temporarily store claim data in memory while it processes the logic associated with a claim rule set. 宣告引擎複製的所有規則集合中的第一個規則由來擷取輸入的宣告組傳入宣告。The claims engine copies all of the incoming claims to the input claim set where they can be retrieved by the first rule in the rule set.

例如,在下圖宣告引擎會顯示的 A 宣告傳入的 B 宣告並將它們複製到輸入的宣告設定。For example, in the illustration below, the claims engine reads the claims of A and B from the incoming claims and copies them to the input claim set. 仍在輸入的宣告設定之後,宣告引擎擷取和做的第一次理賠要求規則集中規則中的邏輯輸入處理宣告和 B。After they are in the input claim set, the claims engine retrieves and processes claims A and B as input for the logic in the first rule in the claim rule set.

AD FS 角色

宣告規則集合中的所有規則都共用理賠要求輸入一組相同。All the rules in a claim rule set share the same input claim set. 共用輸入的宣告設定,如此便會影響的設定中的所有後續規則可以加入該設定的每個規則。Each rule in that set can add to the shared input claim set, thus affecting all subsequent rules in the set.

步驟 2 – 執行Step 2 – Execution

在此步驟宣告規則處理程序,理賠要求規則執行時所宣告引擎時間順序會逐步的所有規則特定規則設定一個從一次。In this step of the claim rules process, claim rules are processed when the claims engine chronologically steps through all of the rules within a particular rule set one at a time. 每個規則規則集合中的只執行一次,並執行中他們會從最上面底部 AD FS 管理 snap-中的 [編輯理賠要求規則對話方塊中顯示為的順序。Each rule within a rule set only runs once and is executed in the order in which they appear from top to bottom as displayed in the Edit Claim Rules dialog box in the AD FS Management snap-in. 處理理賠要求規則規則頂端設定的第一次,然後執行的所有規則直到然後處理後續規則。The claim rule that is at the top of the rule set is processed first and then subsequent rules are processed until all of the rules have been run.

宣告規則定義理賠要求規則語言時,包含兩個組件條件和發行的隱私權聲明。As defined in the claim rule language, a claim rule consists of two parts, condition and issuance statement. 宣告引擎第一次處理程序使用的資料在輸入的條件部分取得集,判斷是否規則中指定的條件適用於包含在輸入宣告取得設定 \(符合的條件規則的宣告稱為符合 claims\)。The claims engine first processes the condition part by using the data in the input claim set to determine whether the condition specified within the rule holds true for the claims contained in the input claim set (the claims that match the rule’s condition are referred to as a matching claims). 如果找不到任何符合宣告宣告引擎執行發行相符宣告每一組規則的陳述。If any matching claims are found, the claims engine executes the issuance statement of the rule for each set of the matching claims. 發行聲明規則的可以執行下列其中一項下列符合主張使用工作:The issuance statement of the rule can perform either of the following tasks with matching claims:

  1. 複製輸出理賠要求將符合理賠要求Copy a matching claim into the output claim set

  2. 轉換宣告欄位輸入的宣告集合中建立新的宣告或評估和輸出取得設定。Transform the claim fields and create a new claim in either just the input claim set or in both evaluation and output claim sets.

  3. 使用為鍵符合 claim(s) 查詢從屬性商店中輸入的宣告組建立新 claim(s) 或中輸入輸出取得集的詳細資訊。Use the matching claim(s) as a key to lookup more information from an attribute store to create new claim(s) in either just the input claim set or in both input and output claim sets.

新增到設定規則集輸出宣告理賠要求Adding a claim to the output claim set for a rule set

輸出取得設定是一開始空白,很重要,因為宣告引擎只會傳回宣告輸出宣告執行程序完成之後,設定中的記憶體中的位置。The output claim set is a location in memory that is initially empty and is important because the claims engine will only return claims that reside in the output claim set after the execution process completes. 這表示任何主張只存在於輸入宣告設定,並不輸出理賠要求將在將會被忽略的時間計算傳出宣告一最後一組時。This means that any claims that reside only in the input claim set and not in the output claim set will be ignored when it comes time to calculate the final set of outgoing claims.

新增至兩個理賠要求集理賠要求規則集合Adding a claim to both claim sets for a rule set

宣告規則的處理,是輸入中新增任何取得設定或兩個輸入中取得設定和輸出宣告根據聲明規則的發行聲明中所使用的設定。As a rule is processed, claims are either added in the input claim set or in both the input claim set and output claim set based on the statement that’s used in the rule’s issuance statement. 這些陳述為是指理賠要求規則語言新增的問題The claim rule language refers to these statements as either add or issue.

如果新增使用聲明,宣告新增輸入的宣告集及宣告將會存在,只為了執行存在執行完成後將會停止。If the add statement is used, the claims are added to just the input claim set and the claims will exist only for the purposes of the execution and will cease to exist once the execution completes. 如果問題使用聲明,宣告新增輸入的宣告設定和輸出理賠要求將和宣告將會退還輸出宣告只要執行完成設定。If the issue statement is used, the claims are added to both the input claim set and the output claim set and the claims will be returned in the output claim set once the execution completes. 如需有關這些聲明,請查看的角色理賠要求規則語言的For more information about these statements, see The Role of the Claim Rule Language.

如果規則集中規則條件部分輸入理賠要求將在任何宣告不符合,規則的發行隱私權聲明部分則,輸出理賠要求將或輸入的宣告設定,因此加入任何主張。If the condition part of a rule within a rule set does not match any claims in the input claim set, the issuance statement part of the rule is ignored and thus no claims are added to either the output claim set or to the input claim set. 下圖和對應步驟顯示宣告引擎會執行規則轉換時的行為:The following illustration and corresponding steps show what happens when the claims engine executes a transform rule:

AD FS 角色

  1. 連入宣告會新增至輸入宣告設定宣告引擎。Incoming claims are added to the input claim set by the claims engine.

  2. 第一個規則執行時,它會看到和 B 宣告,這是在該時間中輸入的唯一宣告取得設定,並處理的條件規則 1 規則邏輯一部分。When the first rule executes, it sees the A and B claims, which are at that moment in time the only claims in the input claim set, and processes the conditional part of the rule logic in rule 1.

  3. A 宣告輸入理賠要求將在因為判斷規則條件為 true \(符合宣告 A\),並加入新 C 理賠要求為兩個輸入宣告設定和輸出取得設定。Since the A claim is present in the input claim set, the condition of the rule is determined to be true (matching the claim A) and a new C claim is added to both the input claim set and the output claim set.

  4. 規則 2 現在可以使用 A、B 和 C 宣告 \(輸入中的所有宣告都取得 set\)做為處理其邏輯輸入。Rule 2 can now use the A, B and C claims (all claims in the input claim set) as input for processing its logic.

如需宣告轉換的詳細資訊,請查看使用轉換理賠要求規則For more information about claims transformation, see When to Use a Transform Claim Rule.

步驟 3-執行結果Step 3 – Execution Result

之後,已中指定的規則集執行的所有規則,索賠項目最終將會出現在輸出理賠要求將會開始理賠要求規則集執行的最後階段。The final stage of the claim rule set execution begins once all rules have been run within a given rule set and the final set of claims is present in the output claim set. 此時,宣告引擎會設定為規則集執行的輸出輸出宣告的操作。At this point, the claims engine returns the context of the output claim set as the output of the rule set execution. 從這個一點是宣告管線接手並將此最終輸出移至下一個階段中的程序。From this point forward it is the claims pipeline that takes over and moves this final output to the next stage in its process.

宣告管線傳送執行輸出Sending the execution output to the claims pipeline

當宣告引擎處理程序規則設定,規則設定已在記憶體中,輸入自己專用的位置,以及輸出取得設定。When the claims engine processes a rule set, that rule set has its own dedicated locations in memory for its input and output claim sets. 這表示的輸入與輸出取得使用規則一組設定的不同的輸入與輸出取得另一個規則集合中所使用的設定。This means that the input and output claim sets used by one rule set are separate from the input and output claim sets used in another rule set.

整個程序完成執行的提供規則集之後 \(步驟 1、2 和 3\)的新發行的傳出宣告 \ (的輸出理賠要求 set\ content) 將會做為輸入宣告管線中的下一步規則。After the entire process has run for a give rule set (steps 1, 2, and 3), the newly issued outgoing claims (content of the output claim set) will be used as input to the next rule set in the claims pipeline. 如此一來宣告傳送從為另一部規則集合,請輸入一個規則的輸出中,如下所示。This allows for claims to flow from the output of one rule set to the input for another rule set, as shown in the following illustration.

AD FS 角色

注意

雖然發行規則設定也是管線重要階段,圖不會顯示它只針對簡化圖示。Although the issuance rule set is also a critical stage in the pipeline, the illustration above does not show it only for purposes of simplifying the illustration. 如圖的顯示發行規則設定,以及它如何納入宣告管線,的角色宣告管線的For an illustration that shows the issuance rule set and how it fits into the claims pipeline, see The Role of the Claims Pipeline.

此時,請接受規則的輸出管線用來最後一組宣告由管線,也就是授權規則處理中的第二個階段接受規則。In this case, the output of the acceptance rules is used by the pipeline to flow the final set of claims produced by the acceptance rules to the second stage in the pipeline, which is the processing of authorization rules. 此時,整個取得規則執行程序 \ (步驟 1、2、3 above) 會重新授權規則集。At this point, the entire claim rules execution process (steps 1, 2, and 3 above) would run again for the authorization rule set. 此循環持續發行規則設定時,才 \ 完成之後(pipeline\ 的最後一個階段)。This cycle continues until the issuance rule set (the final stage in the pipeline) has been completed.

之後,已從發行規則集引擎傳回最終傳出宣告,會將封裝到 SAML 預付碼和同盟服務將會傳送到 client 的預付碼。Once the finalized outgoing claims have been returned from the engine for the issuance rule set, they will be packaged into a SAML token and the Federation Service will send the token back to the client.

正在處理授權規則Processing authorization rules

如果理賠要求規則集合正在執行步驟 2 宣告規則執行處理程序的期間,包含的授權規則 \(的有不同的輸入及輸出取得比接受或發行 rules\ 集,)然後判斷是否授權權杖者取得的安全性權杖同盟服務從給定的信賴根據要求者的宣告執行這些授權規則。If the claim rule set that is being executed during step 2 of the claim rules execution process consists of Authorization rules (which have a different input and output claim sets than either acceptance or issuance rules), then those authorization rules will run to determine whether a token requester is authorized to obtain a security token for a given relying party from the Federation Service based on the requester’s claims.

授權規則的目標是發行允許或拒絕根據使用者是否允許的特定信賴取得預付碼,或不理賠要求。The goal of authorization rules is to issue a permit or deny claim based on whether the user is to be allowed to obtain a token for the given relying party or not. 如下所示,輸出授權執行的管線用來判斷發行規則集合是否執行或不 — 依據是否允許 and\ 日或拒絕宣告-授權執行輸出本身不會做為宣告規則集合輸入,但。As shown in the following illustration, the output of the authorization execution is used by the pipeline to determine whether the issuance rule set is executed or not—based on presence or absence of the permit and/or deny claim—but the authorization execution output itself is not used as an input to the claim rule set.

AD FS 角色

如需有關宣告授權資訊,請查看使用授權理賠要求規則For more information about claims authorization, see When to Use an Authorization Claim Rule.