適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

使用通過或篩選理賠要求規則When to Use a Pass Through or Filter Claim Rule

在 Active Directory 同盟服務時,您需要需要特定傳入理賠要求類型,然後再套用會判斷何種輸出應該就會發生的動作 (AD FS) 根據連入宣告值,您可以使用此規則。You can use this rule in Active Directory Federation Services (AD FS) when you need to take a specific incoming claim type and then apply an action that will determine what output should occur based on the values in the incoming claim. 當您使用此規則時,您通過或篩選符合下列表格,根據您設定的規則選項規則邏輯操作任何主張。When you use this rule, you pass through or filter any claims that match the rule logic in the following table, based on either of the options you configure in the rule.

規則選項Rule option 邏輯規則Rule logic
通過所有宣告值Pass through all claim values 如果輸入宣告類型等於指定宣告類型和值等的任何值,然後傳遞透過理賠要求If incoming claim type equals specified claim type and value equals any value, then pass the claim through
只有在特定取得值通過Pass through only a specific claim value 如果輸入宣告類型等於指定宣告類型和值等指定宣告值,然後傳遞透過宣告If incoming claim type equals specified claim type and value equals specified claim value, then pass the claim through
通過符合尾碼值特定 e\ 電子郵件宣告值Pass through only claim values that match a specific e-mail suffix value 如果輸入宣告類型等於指定宣告類型和值等指定尾碼值,然後傳遞透過理賠要求If incoming claim type equals specified claim type and value equals specified suffix value, then pass the claim through
通過的 [開始] 的特定值宣告值Pass through only claim values that start with a specific value 如果傳入宣告類型等於指定宣告類型,並以開頭值指定宣告值,然後傳遞透過理賠要求If incoming claim type equals specified claim type and value begins with specified claim value, then pass the claim through

下列章節提供基本簡介取得規則,並提供時使用此規則有關的進一步詳細資料。The following sections provide a basic introduction to claim rules and provide further details about when to use this rule.

關於理賠要求規則About claim rules

宣告規則表示商務邏輯操作,將需要連入宣告、 適用於條件的執行個體 \ (如果 x 然後 y\) 和產生傳出宣告依據條件的參數。A claim rule represents an instance of business logic that will take an incoming claim, apply a condition to it (if x then y) and produce an outgoing claim based on the condition parameters. 下列清單輪廓重要您進一步讀取之前,您必須知道的相關的提示取得規則本主題中:The following list outlines important tips that you should know about claim rules before you read further in this topic:

  • AD FS snap\ 中管理,在理賠要求規則只能建立使用理賠要求規則範本In the AD FS Management snap-in, claim rules can only be created using claim rule templates

  • 宣告規則處理程序傳入宣告直接從宣告提供者 \ (例如 Active Directory 或其他聯盟 Service\) 或接受的輸出從轉換宣告提供者信任規則。Claim rules process incoming claims either directly from a claims provider (such as Active Directory or another Federation Service) or from the output of the acceptance transform rules on a claims provider trust.

  • 宣告發行引擎順序特定的規則集中處理理賠要求規則。Claim rules are processed by the claims issuance engine in chronological order within a given rule set. 藉由設定優先順序規則,可以進一步改善或篩選宣告專特定的規則設定中的上一個規則。By setting precedence on rules, you can further refine or filter claims that are generated by previous rules within a given rule set.

  • 宣告規則範本一律會要求您指定傳入宣告類型。Claim rule templates will always require you to specify an incoming claim type. 不過,您可以使用單一規則相同宣告類型處理多個理賠要求值。However, you can process multiple claim values with the same claim type using a single rule.

如需詳細資訊理賠要求規則及宣告規則集合,請查看的角色的取得規則For more detailed information about claim rules and claim rule sets, see The Role of Claim Rules. 如需規則的處理方式的相關資訊,請查看的角色宣告引擎的For more information about how rules are processed, see The Role of the Claims Engine. 宣告規則集合的處理方式的相關資訊,請查看的角色宣告管線的For more information how claim rule sets are processed, see The Role of the Claims Pipeline.

通過所有宣告值Pass through all claim values

當使用此動作,指定的宣告類型的所有傳入宣告值會傳送傳出宣告。When using this action, all incoming claim values for the specified claim type are passed through as outgoing claims. 例如時收到宣告類型指定為角色宣告類型,所有傳入理賠要求值是排列複製到新的角色傳出宣告類型的傳出宣告。For example, when the incoming claim type is specified as the Role claim type, all incoming claim values are copied individually into new outgoing claims with the outgoing claim type of Role.

篩選理賠要求Filtering a claim

AD FS、 字詞在宣告篩選代表篩選或限制傳入取得值,使傳遞或傳送到傳出宣告特定的值。In AD FS, the term claims filtering means to filter or restrict incoming claim values so that only certain values are passed or sent through as outgoing claims. 這是傳遞透過或篩選連入宣告規則範本可讓這個功能。It is the Pass Through or Filter an Incoming Claim rule template that makes this function possible. 在此規則的屬性,您可以設定篩選傳入的值,只有符合您指定的條件值通過條件。Within the properties of this rule, you can set conditions to filter incoming values so that only the values that meet your specified criteria are passed through.

例如,您可以使用此規則只通過宣告符合宣告值的購買時連入取得宣告類型的角色,或是您可能想要發行只相關的使用者名稱宣告輸入相符項目,但不是包含的使用者身分證號碼宣告。For example, you can use this rule to only pass through claims that match the claim value of Purchaser when the incoming claim type matches the claim type of Role or you might want to issue only claims about the name of the user, but not claims containing the social security number of the user.

當您使用篩選器有此規則時,所有連入宣告會檢查以判斷哪一個宣告符合規則所設定的條件。When you use a filter condition with this rule, all incoming claims are examined to determine which claims match the criteria set by the rule. 所有其他宣告忽略這樣也會通過符合選取的宣告類型指定理賠要求值。All other claims are ignored so that only specified claim values that match a selected claim type will pass through.

例如如下所示,規則設定與條件篩選以 UPN 貼近只連入宣告時宣告類型且也結束的@fabrikam.com,除非它們符合此條件忽略所有其他傳入宣告。For example, as shown in the following illustration, when a rule is set with the condition to filter only incoming claims that are keyed to the UPN claim type and also end with @fabrikam.com, all other incoming claims are ignored unless they meet this criteria. 這包含連入宣告宣告類型 E-電子郵件地址,但它宣告值結束在@fabrikam.com。This includes the incoming claim with the claim type of E-Mail Address even though its claim value ends in @fabrikam.com. 在此案例,其中包含的值理賠要求Nick@fabrikam.com會傳送至信賴。In this case, only the claim containing the value of Nick@fabrikam.com is sent to the relying party.

使用 pass 透過

宣告提供者信任上設定此規則Configuring this rule on a claims provider trust

當您使用信任宣告提供者時,可以設定此規則通過只有傳入宣告宣告提供者符合特定限制。When you use a claims provider trust, this rule can be configured to pass through only incoming claims from the claims provider that match certain constraints. 例如,可能會想要只接受 e-電子郵件宣告宣告提供者。因此,您會使用此規則範本接受結束宣告提供者的網域名稱系統 (DNS) 名稱 e\ 郵件宣告並類型。For example, you might want to only accept e-mail claims from the claims provider; therefore, you would use this rule template to accept e-mail claim types that end in the claims provider’s Domain Name System (DNS) name.

信賴的派對信任上設定此規則Configuring this rule on a relying party trust

當您使用信賴的派對信任時,可以設定此規則為通過或篩選傳出宣告將會被傳送至信賴的。When you use a relying party trust, this rule can be configured to pass through or filter outgoing claims that will be sent to the relying party. 某些信賴派對可能不了解特定宣告類型,或特定宣告可能包含應該不會傳送給特定信賴的機密資訊。Some relying parties might not understand certain claim types, or certain claims might contain sensitive information that should not be sent to certain relying parties. 此規則範本可以執行的原則,針對特定信賴廠商信任幫助。This rule template can help to enforce those policies for a particular relying party trust.

如何建立本規則How to create this rule

您建立可以使用此規則理賠要求規則語言或傳遞透過使用或篩選 snap\ 中 AD FS 管理傳入取得規則範本。You create this rule using either the claim rule language or using the Pass Through or Filter an Incoming Claim rule template in the AD FS Management snap-in. 此規則範本提供下列設定選項:This rule template provides the following configuration options:

  • 指定名稱理賠要求規則Specify a claim rule name

  • 指定傳入宣告類型Specify a incoming claim type

  • 通過所有宣告值Pass through all claim values

  • 只有在特定取得值通過Pass through only a specific claim value

  • 通過符合尾碼值特定 e\ 電子郵件宣告值Pass through only claim values that match a specific e-mail suffix value

  • 通過的 [開始] 的特定值宣告值Pass through only claim values that start with a specific value

如需如何建立此範本後續的指示操作,建立傳遞透過規則或篩選連入宣告中的 AD FS 部署。For more instructions on how to create this template, see Create a Rule to Pass Through or Filter an Incoming Claim in the AD FS Deployment Guide.

使用語言理賠要求規則Using the claim rule language

如果宣告值符合自訂模式時,才應傳送理賠要求,您必須使用 [自訂規則。If a claim should be sent only when the claim value matches a custom pattern, you must use a custom rule. 如需詳細資訊,查看何時使用自訂規則。For more information, see When to Use a Custom Rule.

如何建構通過或篩選規則語法的範例Examples of how to construct a pass through or filter rule syntax

簡單的篩選規則會篩選宣告根據其中一個上述屬性。A simple filtering rule would filter claims based on one of the properties outlined above. 例如,下列規則會通過所有 e-電子郵件宣告:For example, the following rule will pass through all e-mail claims:

c:[type == “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress”]  => issue(claim  = c);  

篩選器可以邏輯 AND-ed 在一起。Filters can be logically AND-ed together. 例如,下列規則可接受值所有 e-電子郵件的宣告johndoe@fabrikam.com:For example, the following rule will accept all e-mail claims with value johndoe@fabrikam.com:

c:[type == “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress”, value == “johndoe@fabrikam.com “]  => issue(claim  = c);  

在上面範例篩選永遠使用相等電信業者。In the above examples the filters always used an equality operator. 宣告規則語言支援下列電信業者:The claim rule language supports the following operators:

  • \ = \ = -等於 (case-sensitive)== - equals (case-sensitive)

  • \ ! \ = -不等於 (case-sensitive)!= - not equals (case-sensitive)

  • \ = ~ -運算式相符項目=~- regular expression match

  • \ ! ~ -運算式 non\ 比對!~ - regular expression non-match

例如,下列規則可接受所有 e-電子郵件宣告不是本機聯盟伺服器發行的 boeing.com 尾碼已:For example, the following rule will accept all e-mail claims not issued by the local federation server that have a suffix of boeing.com:

c:[type == “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress”, value =~ “^.*@boeing\.com$” , issuer != “LOCAL AUTHORITY”]  => issue(claim  = c);  

建立自訂規則最佳做法Best practices for creating custom rules

下表中所述篩選會套用到一或多個每個宣告,請的屬性。A filter can be applied to one or more of the properties of each claim, as described in the following table.

取得屬性Claim property 描述Description
輸入Type 宣告類型 \ (通常為 Uri\ 表示) 反映隱含的協議何種資訊表達宣告中相關聯盟合作夥伴。The claim type (usually represented as an Uri) reflects an implicit agreement between partners in a Federation about what kind of information is conveyed in the claim. 例如的類型 http:////schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress 宣告會包含使用者 e-電子郵件地址。For example, claims of type http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress will contain the e-mail address of the user.
值。Value 宣告值。The value of the claim. 例如,輸入 http:////schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress 的理賠要求可能會有的值johndoe@fabrikam.comFor example, a claim of type http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress may have a value of johndoe@fabrikam.com
值鍵入ValueType 值鍵入代表解譯是理賠要求值中所包含的資訊。The ValueType represents how the information contained in the claim’s Value is to be interpreted. 值鍵入通常會設 http://// www.w3.org /2001/XMLSchema#string,但宣告值可能會包含 Base64Binary 編碼資料 \ (例如,image) 或日期、 布林值,等等。Typically the ValueType will be set to http://www.w3.org/2001/XMLSchema#string, but the claim value could contain Base64Binary encoded data (for example, an image) or a date, Boolean, and so on.
發行者Issuer 發行者代表上次發行有關使用者宣告派對。The issuer represents the party that last issued the claims about the user. 如果宣告取得宣告提供者聯盟伺服器的所有宣告發行者移至 [設定為 [本機授權單位 」。If the claims are obtained at a claims provider federation server the issuer of all claims is going to be set to “LOCAL AUTHORITY”. 如果宣告收到了聯盟提供者聯盟伺服器,宣告的發行者會將設定宣告提供者已權杖宣告提供者。If the claims were received by a Federation Provider federation server, the issuer of the claims is going to be set to the claims provider identifier of the claims provider that signed the token. 因此,當處理規則宣告收到宣告提供者上的所有宣告發行者會設定為相同的值。Thus, when processing rules on claims received from a claims provider the issuer of all claims is going to be set to the same value. 當信賴的製作規則,發行者屬性可用來區分宣告來自不同宣告提供者。When authoring rules for a relying party, the issuer property can be used to distinguish between claims originating from different claims providers.
OriginalIssuerOriginalIssuer 這個理賠要求屬性是要代表 microsoft 提供的聯盟伺服器初次發行理賠要求。This claim property is meant to convey which federation server originally issued the claim. 宣告的發行者屬性設定的最後一個聯盟伺服器預付碼簽章,因為原始發行者適用於案例,其中理賠要求有流量透過多個聯盟伺服器 \ (例如,從聯盟提供者聯盟伺服器接收權杖信賴可能會有興趣的特定宣告提供者聯盟伺服器驗證使用者 )Since the issuer property of claims is set to the last federation server that signed the token, the original issuer is useful in scenarios where a claim has flowed through more than one federation server (For example, a relying party that receives a token from a federation provider federation server might be interested which particular claims provider federation server authenticated the user)
屬性Properties 除了上述五個屬性,每個宣告也有命名的屬性儲存屬性包。In addition to the five properties outlined above, each claim also has a property bag where named properties can be stored. 這些屬性權杖中不會序列化以只感知器 」 的元件宣告發行管線單一聯盟伺服器的範圍中之間傳送資訊。These properties are not serialized in the token and only make sense for passing information between components of the claims issuance pipeline within the scope of a single federation server. 例如,設定屬性期間宣告提供者規則處理並信賴廠商規則參考到。For example, setting a property during claims provider rules processing and then referring to it in relying party rules.