適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

了解金鑰 AD FS 概念Understanding Key AD FS Concepts

建議您了解重要概念 Active Directory 同盟服務熟悉其功能設定。It is recommended that you learn about the important concepts for Active Directory Federation Services and become familiar with its feature set.

提示

您可以找到其他 AD FS 資源連結,以AD FS 內容地圖頁面上的 Microsoft TechNet Wiki。You can find additional AD FS resource links at the AD FS Content Map page on the Microsoft TechNet Wiki. 此頁面由 AD FS 社群的成員,並會定期監視 AD FS Product 小組。This page is managed by members of the AD FS Community and is monitored on a regular basis by the AD FS Product Team.

本指南使用 AD FS 詞彙AD FS terminology used in this guide

AD FS 詞彙AD FS term 解析度Definition
Account 合作夥伴公司Account partner organization 聯盟合作夥伴組織所代表宣告同盟服務提供者信任。A federation partner organization that is represented by a claims provider trust in the Federation Service. Account 合作夥伴公司包含會存取 Web\ 為基礎的資源協力廠商應用程式的使用者。The account partner organization contains the users that will access Web-based applications in the resource partner.
Account 聯盟伺服器Account federation server 聯盟 account 合作夥伴組織伺服器。The federation server in the account partner organization. Account 聯盟伺服器問題的安全性權杖根據驗證使用者的使用者。The account federation server issues security tokens to users based on user authentication. 伺服器驗證使用者、擷取相關屬性與屬性存放區的群組成員資格資訊、套件宣告,此資訊會產生及簽署的安全性權杖 \(包含 claims\)回到使用者,在自己的組織中使用或傳送到協力廠商的組織。The server authenticates the user, extracts the relevant attributes and group membership information out of the attribute store, packages this information into claims, and generates and signs a security token (which contains the claims) to return to the user—either to be used in its own organization or to be sent to a partner organization.
AD FS 設定資料庫AD FS configuration database 資料庫用來儲存的所有設定資料,表示單一 AD FS 執行個體或同盟服務。A database used to store all configuration data that represents a single AD FS instance or Federation Service. 此組態資料 SQL Server 資料庫中可以儲存或使用 Windows 內部資料庫功能隨附在 Windows Server 2016、Windows Server 2012 和 2012 R2、Windows Server 2008 和 2008 R2。This configuration data can be stored in either a SQL Server database or using the Windows Internal Database feature included with Windows Server 2016, Windows Server 2012 and 2012 R2, and Windows Server 2008 and 2008 R2.
您可以建立 AD FS 設定資料庫 SQL Server 使用 Fsconfig.exe command\ 列工具和 Windows 內部資料庫中使用 AD FS 聯盟伺服器設定精靈。You can create the AD FS configuration database for SQL Server using the Fsconfig.exe command-line tool and for Windows Internal Database using the AD FS Federation Server Configuration Wizard.
宣告提供者Claims provider 提供給使用者宣告組織。The organization that provides claims to its users. 查看 account 合作夥伴組織。See account partner organization.
宣告提供者信任Claims provider trust Snap\ 中 AD FS 管理,宣告提供者信任的資源合作夥伴代表組織信任關係資源合作夥伴組織中的資源將會存取其帳號中通常會建立信任物件。In the AD FS Management snap-in, claims provider trusts are trust objects typically created in resource partner organizations to represent the organization in the trust relationship whose accounts will be accessing resources in the resource partner organization. 宣告提供者信任物件組成各種識別碼、名稱,以及找出這合作夥伴到本機同盟服務的規則。A claims provider trust object consists of a variety of identifiers, names, and rules that identify this partner to the local Federation Service.
本機宣告提供者信任Local Claims Provider Trust 信任物件代表 AD LDS 或 third\ 廠商 LDAP\ 型目錄 AD FS 發電廠中。A trust object that represents AD LDS or third-party LDAP-based directories in an AD FS farm. 本機宣告提供者信任物件包含許多不同的識別碼、名稱,以及找出到本機同盟服務此 LDAP\ 型 directory 規則。A local claims provider trust object consists of a variety of identifiers, names, and rules that identify this LDAP-based directory to the local Federation Service.
聯盟中繼資料Federation metadata 資料格式聯繫設定宣告提供者和之前的宣告提供者信任和信賴的派對信任的正確設定信賴之間的資訊。The data format for communicating configuration information between a claims provider and a relying party to facilitate proper configuration of claims provider trusts and relying party trusts. 資料格式安全性判斷提示標記語言 (SAML) 2.0,以定義和延伸 WS-同盟。The data format is defined in Security Assertion Markup Language (SAML) 2.0, and it is extended in WS-Federation.
聯盟伺服器Federation server Windows Server AD FS 聯盟伺服器設定精靈使用聯盟伺服器角色做已設定。A Windows Server that has been configured using the AD FS Federation Server Configuration Wizard to act in the federation server role. 聯盟伺服器問題權杖,做為同盟服務的一部份。A federation server issues tokens and serves as part of a Federation Service.
聯盟伺服器 proxyFederation server proxy Windows Server AD FS 聯盟伺服器 Proxy 設定精靈使用做為已設定中間 proxy 服務網際網路 client 之間位於公司網路上有防火牆同盟服務。A Windows Server that has been configured using the AD FS Federation Server Proxy Configuration Wizard to act as an intermediary proxy service between an Internet client and a Federation Service that is located behind a firewall on a corporate network.
主要聯盟伺服器Primary federation server Windows Server 已聯盟伺服器角色使用 AD FS 聯盟伺服器設定精靈中,並具有 AD FS 設定資料庫 read/寫入複本。A Windows Server that has been configured in the federation server role using the AD FS Federation Server Configuration Wizard and has a read/write copy of the AD FS configuration database.
當您使用 AD FS 聯盟伺服器設定精靈,並選取 [建立新的同盟服務,以及陣列中將該電腦的第一個聯盟伺服器建立主要聯盟伺服器。The primary federation server is created when you use the AD FS Federation Server Configuration Wizard and select the option to create a new Federation Service and make that computer the first federation server in the farm. 所有其他聯盟伺服器此必須複製僅限 read\ 複本儲存在本機 AD FS 設定資料庫主要聯盟伺服器上所做的變更。All other federation servers in this farm must replicate changes made on the primary federation server to a read-only copy of the AD FS configuration database that is stored locally. 字詞「主要聯盟伺服器」不適用於所有聯盟伺服器同樣讀取並儲存在 SQL Server 設定資料庫寫入 AD FS 設定資料庫儲存 SQL 資料庫中。The term “primary federation server” does not apply when the AD FS configuration database is stored in an SQL database as all federation servers can equally read and write to a configuration database stored on a SQL Server.
仰賴派對Relying party 組織接收並處理主張。The organization that receives and processes claims. 查看資源合作夥伴組織。See resource partner organization.
可以廠商信任Relying party trust AD FS 管理 snap\ 中,可以廠商信任信任物件通常被建立中:In the AD FS Management snap-in, relying party trusts are trust objects typically created in:

-Account 合作夥伴代表組織中信任關係的帳號存取資源合作夥伴組織中的資源。- Account partner organizations to represent the organization in the trust relationship whose accounts will be accessing resources in the resource partner organization.
-資源代表同盟服務與 web\ 為基礎的單一應用程式之間的信任的合作夥伴組織。- Resource partner organizations to represent the trust between the Federation Service and a single web-based application.

信賴的派對信任物件組成各種識別碼、名稱,以及找出這協力廠商或到本機同盟服務 web\ 應用程式規則。A relying party trust object consists of a variety of identifiers, names, and rules that identify this partner or web-application to the local Federation Service.
資源聯盟伺服器Resource federation server 資源合作夥伴組織中聯盟伺服器。The federation server in the resource partner organization. 資源聯盟伺服器通常問題的安全性權杖給使用者根據發出 account 聯盟伺服器的安全性權杖。The resource federation server typically issues security tokens to users based on a security token that is issued by an account federation server. 伺服器收到的安全性權杖,確認簽章,適用於製作您想要傳出宣告 unpackaged 宣告理賠要求規則邏輯操作,產生新的安全性權杖 \(傳出 claims) 為基礎中收到的安全性權杖、資訊和簽署新回到使用者權杖,最後的 Web 應用程式。The server receives the security token, verifies the signature, applies claim rule logic to the unpackaged claims to produce the desired outgoing claims, generates a new security token (with the outgoing claims) based on information in the incoming security token, and signs the new token to return to the user and ultimately to the Web application.
資源合作夥伴公司Resource partner organization 聯盟合作夥伴由信賴廠商信任同盟服務中。A federation partner that is represented by a relying party trust in the Federation Service. 資源合作夥伴問題 claims\ 為基礎的安全性權杖包含發行的 Web\ 為基礎的應用程式中 account 合作夥伴使用者都可以存取。The resource partner issues claims-based security tokens that contains published Web-based applications that users in the account partner can access.

AD FS 的概觀Overview of AD FS

AD FS 是提供 client 電腦的身分存取方案 \(內部或外部您 network\)順暢 SSO 存取受保護的 Internet\ 攝影機的應用程式或服務,即使帳號,應用程式位於完全不同的網路或組織中使用。AD FS is an identity access solution that provides client computers (internal or external to your network) with seamless SSO access to protected Internet-facing applications or services, even when the user accounts and applications are located in completely different networks or organizations.

當應用程式或服務是一個網路而在其他網路帳號時,通常會提示使用者次要認證對方嘗試存取應用程式或服務時。When an application or service is in one network and a user account is in another network, typically the user is prompted for secondary credentials when he or she attempts to access the application or service. 這些次要認證代表使用者的身分領域的應用程式或服務的所在位置中。These secondary credentials represent the user's identity in the realm where the application or service resides. 它們通常需要 Web 伺服器,讓它可以最適合授權裝載的應用程式或服務。They are usually required by the Web server that hosts the application or service so that it can make the most appropriate authorization decision.

AD FS 使用組織可以略過次要認證要求提供信任關係 (federation trusts) 這些組織可供投影使用者的數位身分及存取權限受信任合作夥伴。With AD FS, organizations can bypass requests for secondary credentials by providing trust relationships (federation trusts) that these organizations can use to project a user's digital identity and access rights to trusted partners. 在這個聯盟環境中,每個組織管理自己的身分,會繼續,但每個組織也確實專案和接受其他組織的身分。In this federated environment, each organization continues to manage its own identities, but each organization can also securely project and accept identities from other organizations.