適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

宣告管線的角色The Role of the Claims Pipeline

在 Active Directory 同盟服務 (AD FS) 宣告管線代表宣告必須遵守透過同盟服務,可發行之前的路徑。The claims pipeline in Active Directory Federation Services (AD FS) represents the path that claims must follow through the Federation Service before they can be issued. 聯盟服務管理整個 end\ to\ 結束處理程序,透過不同的宣告管線,也會包括理賠要求規則處理理賠要求規則引擎階段流暢索賠項目。The Federation Service manages the entire end-to-end process of flowing claims through the various stages of the claims pipeline, which also includes the processing of claim rules by the claim rule engine.

如需理賠要求規則的詳細資訊,請查看的角色的取得規則For more information about claim rules, see The Role of Claim Rules. 如需有關如何理賠要求規則引擎處理規則的詳細資訊,請查看的角色宣告引擎的For more information about how the claim rule engine processes rules, see The Role of the Claims Engine.

下一節討論同盟服務監督在更多詳細資料的程序。The following section discusses the process that the Federation Service oversees in greater detail.

宣告管線程序Claims pipeline process

三個 high\ 層級階段所組成宣告管線程序。The claims pipeline process consists of three high-level stages. 此程序的每個階段初始化理賠要求規則引擎階段特定的處理程序理賠要求規則。Each stage in this process initializes the claim rule engine to process claim rules that are specific to that stage. 這些階段包含 \ (工作順序,它們 occur):These stages include (in the order that they occur):

  1. 接受傳入宣告-宣告管線在此階段用來從權杖解壓縮連入宣告並能排除宣告不會如預期般或受信任的。Accepting incoming claims—This stage in the claims pipeline is used to extract the incoming claims from the token and eliminate claims that are not expected or trusted. 它們擷取之後,組成接受轉換規則接受規則宣告提供者信任執行設定。After they are extracted, the acceptance rules that make up the acceptance transform rule set for a claims provider trust are run. 本規則可用通過或新增新宣告,則可在後續宣告管線的階段。These rules can be used to pass through or add new claims that can then be used in the subsequent stages of the claims pipeline. 使用這個階段的輸出為第二個和第三個階段輸入。The output of this stage is used as an input to second and third stage.

  2. 授權宣告要求-宣告引擎會使用這個階段發行允許或拒絕根據是否允許權杖要求者的特定信賴取得預付碼,或不主張。Authorizing the claims requester—This stage is used by the claims engine to issue permit or deny claims based on whether the token requester is allowed to obtain a token for the given relying party or not. 不過,這可能是組成發行授權規則授權規則設定或設定委派授權規則之前的在信賴的派對信任。However, before this can occur the authorization rules that make up either the issuance authorization rule set or the delegation authorization rule set for a relying party trust are ran.

  3. 發行傳出宣告 — 發出傳出宣告,並將它們傳送沿著管線它們封裝安全性權杖到使用這個階段。Issuing outgoing claims—This stage is used to issue outgoing claims and send them along the pipeline where they will be packaged into a security token. 不過,這可能會在發行規則組成信賴的派對信任的發行轉換規則之前,請將會判斷功能宣告為傳出宣告將會發行。However, before this can occur the issuance rules that make up the issuance transform rule set for a relying party trust are ran, which will determine what claims will be issued as outgoing claims.

所有的三個階段上述執行宣告規則處理,但是使用另一組規則。All three stages above perform claims rules processing but use a different set of rules. 每個階段如上文所述,已收到宣告的發行者規則的相關的設定 (the acceptance rules) 或目標服務發行 claimincludes \ (授權及發行 rules)。As described above, each stage has an associated set of rules based on either the issuer of the incoming claims (the acceptance rules) or the target service for which the claimincludes are being issued (authorization and issuance rules).

宣告 token\ 無關但的安全性權杖中封裝網路傳輸。Claims are token-agnostic but are transmitted over the network encapsulated in security tokens. 無論傳入或傳出的安全性權杖格式宣告操作理賠要求規則。The claim rules operate over claims regardless of the format of the incoming or outgoing security token.

宣告規則包含 administrator\ 定義的邏輯操作,宣告引擎會接受傳入宣告、授權宣告根據要求者的身分以及發出宣告所需的信賴。Claims rules contain the administrator-defined logic by which the claims engine will accept the incoming claims, authorize claims based on the requester’s identity and issue claims that are needed by a relying party. 最後則判斷宣告將會移至後宣告已被流量宣告管線會發出的安全性權杖宣告引擎。Ultimately, it is the claims engine that determines what claims will go into the security token that will be issued after the claim has been flowed through the claims pipeline.

如下所示,宣告管線負責整個 end\ to\ 高階程序的傳送到不同的管線階段理賠要求為了最後會傳送到信賴的派對信任發行理賠要求。As shown in the following illustration, the claims pipeline is responsible for the entire end-to-end process of flowing a claim through the various pipeline stages in order to end up with an issued claim that will be sent over a relying party trust. 傳出宣告圖代表發行理賠要求。The outgoing claim in the illustration represents the issued claim.

AD FS 角色

雖然這不所示,就會執行規則的每個階段的實際處理宣告引擎。Although it is not shown in the illustration, it is the claims engine that performs the actual processing of the rules at each stage. 如需詳細資訊,請查看的角色宣告引擎的For more information, see The Role of the Claims Engine.