適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

使用 [自訂理賠要求規則When to Use a Custom Claim Rule

您在使用理賠要求規則語言、 架構宣告發行引擎使用以程式設計方式產生轉換、 通過會 Active Directory 同盟服務 (AD FS) 撰寫自訂理賠要求規則及篩選與主張。You write a custom claim rule in Active Directory Federation Services (AD FS) using the claim rule language, which is the framework that the claims issuance engine uses to programmatically generate, transform, pass through, and filter claims. 使用自訂規則,您可以建立具有更複雜的邏輯比一般規則範本規則。By using a custom rule, you can create rules with more complex logic than a standard rule template. 請考慮當您想要使用自訂的規則:Consider using a custom rule when you want to:

  • 傳送宣告基礎結構化查詢語言 (SQL) 屬性存放區擷取的值。Send claims based on values that are extracted from a Structured Query Language (SQL) attribute store.

  • 傳送主張使用自訂 LDAP 篩選輕量型 Directory 存取通訊協定 (LDAP) 屬性存放區擷取的值為基礎。Send claims based on values that are extracted from a Lightweight Directory Access Protocol (LDAP) attribute store using a custom LDAP filter.

  • 傳送宣告根據自訂屬性存放區擷取的值。Send claims based on values that are extracted from a custom attribute store.

  • 有兩個或更多連入宣告時才,請傳送主張。Send claims only when two or more incoming claims are present.

  • 傳送宣告,連入取得值相符項目複雜的模式時,才。Send claims only when an incoming claim value matches a complex pattern.

  • 傳送到傳入複雜變更宣告取得值。Send claims with complex changes to an incoming claim value.

  • 只會在稍後規則,建立主張使用,而不需要實際傳送宣告。Create claims for use only in later rules, without actually sending the claims.

  • 建立的多個連入宣告 content 從傳出宣告。Construct an outgoing claim from the content of more than one incoming claim.

傳出宣告宣告值必須為基礎的值連入宣告,但必須也包含其他 content 時,您也可以使用 [自訂規則。You can also use a custom rule when the claim value of the outgoing claim must be based on the value of the incoming claim, but it must also include additional content.

宣告規則語言是根據規則。The claims rule language is rule based. 它已條件和執行部分。It has a condition part and an execution part. 您可以使用理賠要求規則語言語法列舉、 新增、 delete,或修改宣告貴組織的需求。You can use the claim rule language syntax to enumerate, add, delete, or modify claims to meet the needs of your organization. 針對每個部分運作方式的相關詳細資訊,請查看的角色理賠要求規則語言的For more information about how each of these parts works, see The Role of the Claim Rule Language.

下列章節提供基本簡介取得規則。The following sections provide a basic introduction to claim rules. 它們也提供使用自訂宣告規則詳細資訊。They also provide details about when to use a custom claim rule.

關於理賠要求規則About claim rules

宣告規則表示商務邏輯操作,連入宣告的執行個體、 適用於條件 \ (如果 x,然後 y\) 和產生傳出宣告依據條件的參數。A claim rule represents an instance of business logic that takes an incoming claim, apply a condition to it (if x, then y) and produce an outgoing claim based on the condition parameters.

重要

  • AD FS snap\ 中管理,取得可以只使用理賠要求規則範本建立規則In the AD FS Management snap-in, claim rules can be created only using claim rule templates
  • 宣告規則處理程序傳入宣告直接從宣告提供者 \ (例如 Active Directory 或其他聯盟 Service\) 或接受的輸出從轉換宣告提供者信任規則。Claim rules process incoming claims either directly from a claims provider (such as Active Directory or another Federation Service) or from the output of the acceptance transform rules on a claims provider trust.
  • 宣告發行引擎順序特定的規則集中處理理賠要求規則。Claim rules are processed by the claims issuance engine in chronological order within a given rule set. 藉由設定優先順序規則,可以進一步改善或篩選宣告專特定的規則設定中的上一個規則。By setting precedence on the rules, you can further refine or filter claims that are generated by previous rules within a given rule set.
  • 宣告規則範本一定需要您指定傳入宣告類型。Claim rule templates always require you to specify an incoming claim type. 不過,您可以使用相同的理賠要求類型處理多個理賠要求值使用單一規則。However, you can process multiple claim values with the same claim type by using a single rule.

如需詳細資訊理賠要求規則及宣告規則集合,請查看的角色的取得規則For more detailed information about claim rules and claim rule sets, see The Role of Claim Rules. 如需規則的處理方式的相關資訊,請查看的角色宣告引擎的For more information about how rules are processed, see The Role of the Claims Engine. 宣告規則集合的處理方式的相關資訊,請查看的角色宣告管線的For more information how claim rule sets are processed, see The Role of the Claims Pipeline.

如何建立本規則How to create this rule

您第一次製作,您必須使用理賠要求規則語言作業然後結果貼上所提供的傳送文字方塊主張使用宣告提供者的屬性自訂規則範本信任或信賴信任 snap\ 中 AD FS 管理語法建立此規則。You create this rule by first authoring the syntax that you need for your operation using the claim rule language and then pasting the result into the text box that is provided in the Send a Claims Using a Custom Rule template on the properties of either a claims provider trust or a relying party trust in the AD FS Management snap-in.

此規則範本提供下列選項:This rule template provides the following options:

  • 指定名稱理賠要求規則Specify a claim rule name

  • 輸入一個或多個選擇性 and 發行聲明,請使用 AD FS 取得規則語言Type one or more optional conditions and an issuance statement using the AD FS claim rule language

建立自訂使用此範本規則的其他的指示,請查看建立自訂規則傳送主張使用規則中的 AD FS 部署。For more instructions for creating a custom rule using this template, see Create a Rule to Send Claims Using a Custom Rule in the AD FS Deployment Guide.

解理賠要求規則語言的運作方式,檢視理賠要求規則語言的其他存在的規則語法 snap\ 中按一下檢視規則語言索引標籤中,規則的屬性。For a better understanding of how the claim rule language works, view the claim rule language syntax of other rules that already exist in the snap-in by clicking the View Rule Language tab in the properties for that rule. 使用此一節中的資訊和語法資訊此索引標籤上,可提供深入了解如何建立您自己的自訂規則。Using the information in this section and the syntax information on this tab can provide insight into how to construct your own custom rules.

如需有關如何使用理賠要求規則語言,請查看角色取得規則語言的For more information about how to use the claim rule language, see The Role of the Claim Rule Language.

使用語言理賠要求規則Using the claim rule language

範例: 如何結合姓名根據的使用者名稱屬性的值Example: How to combine first and last names based on a user’s name attribute values

下列語法規則結合了特定地區姓名中指定的屬性網上商店的屬性。The following rule syntax combines first and last names from attribute values in a given attribute store. 原則引擎形成笛 product 的每個條件相符項目。The policy engine forms a cartesian product of the matches for each condition. 例如,{」 Frank 」、 「 心靈 「} 名字與姓氏 {「 李玉紅 」、 「 Shen 「} 輸出為 {「 Frank 李玉紅 」、 「 Frank Shen 」、 「 心靈李玉紅 」、 「 心靈 Shen 「}:For example, the output for first name {“Frank”, “Alan”} and last names {“Miller”, “Shen”} is {“Frank Miller”, “Frank Shen”, “Alan Miller”, “Alan Shen”}:

c1:[type == "http://exampleschema/firstname" ]  
&&  c2:[type == "http://exampleschema/lastname",]   
=> issue(type = "http://exampleschema/name", value = c1.value + “  “ + c2.value);  

範例: 如何發出根據使用者是否有屬下管理員理賠要求Example: How to issue a manager claim based on whether users have direct reports

下列規則問題管理員理賠要求只有使用者有直接報告:The following rule issues a manager claim only if the user has direct reports:

c:[type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"] => add(store = "SQL Store", types = ("http://schemas.xmlsoap.org/claims/Reports"), query = "SELECT Reports FROM dbo.DirectReports WHERE UserName = {0}", param = c.value );  
count([type == “http://schemas.xmlsoap.org/claims/Reports“] ) > 0 => issue(= "http://schemas.xmlsoap.org/claims/ismanager", value = "true");  

範例: 如何發出根據 LDAP 屬性 PPID 理賠要求Example: How to issue a PPID claim based on an LDAP attribute

下列規則問題私人個人識別碼 (PPID) 理賠要求根據windowsaccountnameoriginalissuer屬性 LDAP 屬性網上商店中的使用者:The following rule issues a Private Personal Identifier (PPID) claim based on the windowsaccountname and originalissuer attributes of users in an LDAP attribute store:

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]  
 => issue(store = "_OpaqueIdStore", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier"), query = "{0};{1};{2}", param = "ppid", param = c.Value, param = c.OriginalIssuer);  

常見的屬性,可用於唯一找出使用者提供這項查詢包含下列類型:Common attributes that can be used to uniquely identify the user for this query include the following:

  • 使用者 SIDuser SID

  • windowsaccountnamewindowsaccountname

  • samaccountnamesamaccountname