適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

使用傳送群組成員資格理賠要求規則When to Use a Send Group Membership as a Claim Rule

當您想要發行成員指定 Activ Directory 安全性群組的這些使用者新傳出宣告值,您可以使用在 Active Directory 同盟服務 (AD FS) 本規則。You can use this rule in Active Directory Federation Services (AD FS) when you want to issue a new outgoing claim value for only those users who are members of a specified Activ Directory security group. 當您使用此規則時,您發出僅限群組單一理賠要求您指定和符合規則邏輯操作,下列表格中所述。When you use this rule, you issue a single claim for only the group that you specify and that matches the rule logic, as described in the following table.

規則選項Rule option 邏輯規則Rule logic
傳出宣告值Outgoing claim value 如果使用者的群組成員資格等於指定的群組和傳出宣告類型等於指定理賠要求輸入,然後取代現有的群組名稱值為指定傳出宣告值並發出理賠要求。If a user’s group membership is equal to the specified group and outgoing claim type equals specified claim type, then replace the existing group name value with the specified outgoing claim value and issue the claim.

下列章節提供基本簡介取得規則。The following sections provide a basic introduction to claim rules. 它們也提供使用傳送群組成員資格理賠要求規則詳細資訊。They also provide details about when to use the Send Group Membership as a Claim rule.

關於理賠要求規則About claim rules

宣告規則表示商務邏輯操作,將需要連入宣告、 適用於條件的執行個體 \ (如果 x 然後 y\) 和產生傳出宣告依據條件的參數。A claim rule represents an instance of business logic that will take an incoming claim, apply a condition to it (if x then y) and produce an outgoing claim based on the condition parameters. 下列清單輪廓重要您進一步讀取之前,您必須知道的相關的提示取得規則本主題中:The following list outlines important tips that you should know about claim rules before you read further in this topic:

  • AD FS snap\ 中管理,在理賠要求規則只能建立使用理賠要求規則範本In the AD FS Management snap-in, claim rules can only be created using claim rule templates

  • 宣告規則處理程序傳入宣告直接從宣告提供者 \ (例如 Active Directory 或其他聯盟 Service\) 或接受的輸出從轉換宣告提供者信任規則。Claim rules process incoming claims either directly from a claims provider (such as Active Directory or another Federation Service) or from the output of the acceptance transform rules on a claims provider trust.

  • 宣告發行引擎順序特定的規則集中處理理賠要求規則。Claim rules are processed by the claims issuance engine in chronological order within a given rule set. 藉由設定優先順序規則,可以進一步改善或篩選宣告專特定的規則設定中的上一個規則。By setting precedence on rules, you can further refine or filter claims that are generated by previous rules within a given rule set.

  • 宣告規則範本一律會要求您指定傳入宣告類型。Claim rule templates will always require you to specify an incoming claim type. 不過,您可以使用單一規則相同宣告類型處理多個理賠要求值。However, you can process multiple claim values with the same claim type using a single rule.

如需詳細資訊理賠要求規則及宣告規則集合,請查看的角色的取得規則For more detailed information about claim rules and claim rule sets, see The Role of Claim Rules. 如需規則的處理方式的相關資訊,請查看的角色宣告引擎的For more information about how rules are processed, see The Role of the Claims Engine. 宣告規則集合的處理方式的相關資訊,請查看的角色宣告管線的For more information how claim rule sets are processed, see The Role of the Claims Pipeline.

傳出宣告值Outgoing claim value

您可以使用傳送群組成員資格做為理賠要求規則範本,發出的使用者是否指定群組成員意外理賠要求。Using the Send Group Membership as a Claim rule template, you can issue a claim that is contingent on whether a user is a member of a group that you specify.

囉宣告使用者有群組安全性時,只為此規則範本問題 ID (SID) 符合系統管理員指定 Active Directory 群組。In other words, this rule template issues a claim only when the user has the group security ID (SID) that matches the Active Directory group that the administrator specifies. 針對 (AD DS) Active Directory Domain Services 進行驗證的所有使用者將會都有連入的群組 SID 宣告及其所屬的每個群組。All users who authenticate against Active Directory Domain Services (AD DS) will have incoming group SID claims for each group that they belong to. 根據預設,在 Active Directory 宣告提供者信任的接受轉換規則通過 SID 宣告這些群組。By default, the acceptance transform rules in the Active Directory Claims Provider Trust pass through these group SID claims. 使用做為基礎的發行宣告 Sid 速度更快比群 AD DS 中查看這些群組。Using these group SIDs as a basis for issuing claims is much faster than looking up the user’s groups in AD DS.

當您使用此規則,只有單一理賠要求傳送,根據您選擇的 Active Directory 群組。When you use this rule, only a single claim is sent, based on the Active Directory group that you select. 例如,您可以使用此規則範本建立規則,將會傳送群組理賠要求的值為 「 系統管理員 」,如果使用者網域管理安全性群組成員。For example, you can use this rule template to create a rule that will send a group claim with a value of "Admin" if the user is a member of the Domain Admins security group.

宣告提供者信任上設定此規則Configuring this rule on a claims provider trust

系統管理員應該使用此規則類型接受轉換規則宣告提供者信任的中才群組 Sid 會收到宣告提供者,這是很少 Active Directory 或 AD DS 以外的任何宣告提供者。Administrators should use this rule type in the acceptance transform rules of a claims provider trust only when group SIDs are being received from the claims provider, which is very uncommon for any claims providers except Active Directory or AD DS.

如何建立本規則How to create this rule

建立使用此規則理賠要求規則語言、 來使用理賠要求傳送給 LDAP 群組成員資格規則 snap\ 中 AD FS 管理範本。You create this rule using either the claim rule language or by using the Send LDAP Group Membership as a Claim rule template in the AD FS Management snap-in. 此規則範本提供下列設定選項:This rule template provides the following configuration options:

  • 指定名稱理賠要求規則Specify a claim rule name

  • 選取 [使用者群組使用物件選擇器Select a user’s group using object picker

  • 選取傳出宣告類型Select an outgoing claim type

  • 選取 [傳出名稱 ID 格式 \ (,都可以僅限時名稱 ID 從選擇傳出宣告輸入 field\)Select an outgoing name ID format (which is available only when Name ID is chosen from the outgoing claim type field)

  • 指定傳出宣告值Specify an outgoing claim value

如需如何建立本規則的詳細資訊,請查看建立規則為理賠要求傳送給群組成員資格以For more information about how to create this rule, see Create a Rule to Send Group Membership as a Claim.

使用語言理賠要求規則Using the claim rule language

如果您想要發行宣告根據傳入 SID 群組 SID 以外,使用轉換連入宣告規則範本。If you want to issue claims based on an incoming SID other than a group SID, use the Transform an Incoming Claim rule template. 如果系統管理員想要擷取的使用者的成員所有群組的名稱,作為傳送 LDAP 屬性宣告規則範本改為使用tokenGroups屬性。If the administrator wants to retrieve the names for all the groups that the user is a member of, use the Send LDAP Attributes as Claims rule template instead with the tokenGroups attribute.

範例: 如何發出以使用者的群組成員資格群組宣告Example: How to issue group claims based on the user’s group membership

下列規則問題群組宣告根據連入的群組 SID 使用者:The following rule issues group claims for a user based on an incoming group SID:

c:[Type == "https://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value == "S-1-5-21-397933417-626991126-188441444-512", Issuer == "AD AUTHORITY"]  
=> issue(Type = "http://schemas.xmlsoap.org/claims/Group", Value = "administrators", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, ValueType = c.ValueType);  

其他參考資料Additional references

建立為宣告傳送 LDAP 屬性規則Create a Rule to Send LDAP Attributes as Claims