適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

使用傳送 LDAP 屬性宣告規則When to Use a Send LDAP Attributes as Claims Rule

當您想要發行傳出宣告實際輕量型 Directory 存取通訊協定 (LDAP) 屬性值的存在屬性市集中,然後關聯宣告類型每個 LDAP 屬性,您可以使用在 Active Directory 同盟服務 (AD FS) 本規則。You can use this rule in Active Directory Federation Services (AD FS) when you want to issue outgoing claims that contain actual Lightweight Directory Access Protocol (LDAP) attribute values that exist in an attribute store and then associate a claim type with each of the LDAP attributes. 如需屬性存放區的詳細資訊,請查看的角色的屬性儲存For more information about attribute stores, see The Role of Attribute Stores.

當您使用此規則時,您發出理賠要求的每個 LDAP 屬性,指定和符合規則邏輯操作,下列表格中所述。When you use this rule, you issue a claim for each LDAP attribute that you specify and that matches the rule logic, as described in the following table.

規則選項Rule option 邏輯規則Rule logic
傳出宣告類型 LDAP 屬性的對應Mapping of LDAP attributes to outgoing claim types 如果屬性市集等於屬性指定網上商店和 LDAP 屬性等於指定值,然後地圖 LDAP 屬性值來指定傳出宣告鍵入和發出理賠要求。If attribute store equals specified attribute store and LDAP attribute equals specified value, then map the LDAP attribute value to the specified outgoing claim type and issue the claim.

下列章節提供基本簡介取得規則。The following sections provide a basic introduction to claim rules. 它們也提供使用傳送 LDAP 屬性宣告規則詳細資訊。They also provide details about when to use the Send LDAP Attributes as Claims rule.

關於理賠要求規則About claim rules

宣告規則表示商務邏輯操作,將需要連入宣告、 適用於條件的執行個體 \ (如果 x 然後 y\) 和產生傳出宣告依據條件的參數。A claim rule represents an instance of business logic that will take an incoming claim, apply a condition to it (if x then y) and produce an outgoing claim based on the condition parameters. 下列清單輪廓重要您進一步讀取之前,您必須知道的相關的提示取得規則本主題中:The following list outlines important tips that you should know about claim rules before you read further in this topic:

  • AD FS snap\ 中管理,在理賠要求規則只能建立使用理賠要求規則範本In the AD FS Management snap-in, claim rules can only be created using claim rule templates

  • 宣告規則處理程序傳入宣告直接從宣告提供者 \ (例如 Active Directory 或其他聯盟 Service\) 或接受的輸出從轉換宣告提供者信任規則。Claim rules process incoming claims either directly from a claims provider (such as Active Directory or another Federation Service) or from the output of the acceptance transform rules on a claims provider trust.

  • 宣告發行引擎順序特定的規則集中處理理賠要求規則。Claim rules are processed by the claims issuance engine in chronological order within a given rule set. 藉由設定優先順序規則,可以進一步改善或篩選宣告專特定的規則設定中的上一個規則。By setting precedence on rules, you can further refine or filter claims that are generated by previous rules within a given rule set.

  • 宣告規則範本一律會要求您指定傳入宣告類型。Claim rule templates will always require you to specify an incoming claim type. 不過,您可以使用單一規則相同宣告類型處理多個理賠要求值。However, you can process multiple claim values with the same claim type using a single rule.

如需詳細資訊理賠要求規則及宣告規則集合,請查看的角色的取得規則For more detailed information about claim rules and claim rule sets, see The Role of Claim Rules. 如需規則的處理方式的相關資訊,請查看的角色宣告引擎的For more information about how rules are processed, see The Role of the Claims Engine. 宣告規則集合的處理方式的相關資訊,請查看的角色宣告管線的For more information how claim rule sets are processed, see The Role of the Claims Pipeline.

傳出宣告類型 LDAP 屬性的對應Mapping of LDAP attributes to outgoing claim types

當您使用傳送 LDAP 屬性為宣告規則範本時,您可以從 LDAP 屬性市集中,例如 Active Directory 或 Active Directory Domain Services (AD DS) 將它們的值為宣告信賴來選取屬性。When you use the Send LDAP Attributes as Claims rule template, you can select attributes from an LDAP attribute store, such as Active Directory or Active Directory Domain Services (AD DS) to send their values as claims to the relying party. 基本上這地圖服務屬性網上商店,您可以用於授權傳出宣告一組定義特定 LDAP 屬性。This essentially maps specific LDAP attributes from an attribute store that you define to a set of outgoing claims that can be used for authorization.

使用此範本,您可以新增多個屬性,這將會以多個宣告傳送,從單一規則。By using this template, you can add multiple attributes, which will be sent as multiple claims, from a single rule. 例如您可以使用此規則範本建立規則的樣子屬性的值驗證使用者從公司部門Active Directory 屬性,並為有兩個不同的傳出宣告將這些值。For example, you can use this rule template to create a rule that will look up attribute values for authenticated users from the company and department Active Directory attributes and then send these values as two different outgoing claims.

您也可以使用此規則傳送給所有使用者的群組成員資格。You can also use this rule to send all the user’s group memberships. 如果您想要傳送僅限個人群組成員資格,作為理賠要求規則範本傳送群組成員資格。If you want to send only individual group memberships, use the Send Group Membership as a Claim rule template. 如需詳細資訊,請查看使用傳送群組成員資格理賠要求規則以For more information, see When to Use a Send Group Membership as a Claim Rule.

如何建立本規則How to create this rule

您可以使用理賠要求規則語言建立此規則或藉由傳送 LDAP 屬性主張使用規則 snap\ 中 AD FS 管理範本。You can create this rule by using either the claim rule language or by using the Send LDAP Attributes as Claims rule template in the AD FS Management snap-in. 此規則範本提供下列設定選項:This rule template provides the following configuration options:

  • 指定名稱理賠要求規則Specify a claim rule name

  • 選取要從中解壓縮 LDAP 屬性屬性網上商店Select an attribute store from which to extract LDAP attributes

  • 傳出宣告類型 LDAP 屬性的對應Mapping of LDAP attributes to outgoing claim types

如需如何建立本規則的詳細資訊,請查看建立規則為宣告傳送 LDAP 屬性,For more information about how to create this rule, see Create a Rule to Send LDAP Attributes as Claims.

使用語言理賠要求規則Using the claim rule language

如果查詢 Active Directory、 AD DS 或 Active Directory 輕量型 Directory 服務 (AD LDS) 必須比較 LDAP 屬性以外samAccountname,您必須改用自訂規則。If the query to Active Directory, AD DS, or Active Directory Lightweight Directory Services (AD LDS) must compare against an LDAP attribute other than samAccountname, you must use a custom rule instead. 如果有任何 Windows Account 名稱宣告輸入設定中的,您必須也使用自訂規則指定使用查詢 AD DS 或廣告 LDS 理賠要求。If there is no Windows Account Name claim in the input set, you must also use a custom rule to specify the claim to use for querying AD DS or AD LDS.

以下被提供的範例可協助您了解您可以建立自訂規則使用理賠要求規則語言查詢和解壓縮資料屬性市集中的各種方式。The following examples are provided to help you understand some of the various ways you can construct a custom rule using the claim rule language to query and extract data in an attribute store.

範例: 如何查詢 AD LDS 屬性市集,並傳回指定的值Example: How to query an AD LDS attribute store and return a specified value

必須分號來分隔參數。Parameters must be separated by a semicolon. 第一次參數是 LDAP 篩選。The first parameter is the LDAP filter. 後續參數是返回任何比對物件的屬性。Subsequent parameters are the attributes to return on any matching objects.

下例示範如何查看使用者透過sAMAccountName屬性,並發出 e-電子郵件地址宣告,請使用使用者的電子郵件屬性的值:The following example shows how to look up a user by the sAMAccountName attribute and issue an e-mail address claim, using the value of the user’s mail attribute:

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]  
=> issue(store = "AD LDS", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"), query = "sAMAccountName={0};mail", param = regexreplace(c.Value, "(?<domain>[^\\]+)\\(?<user>.+)", "${user}"));  

下例示範如何查看使用者透過郵件屬性,並發出標題和顯示名稱宣告,使用的值使用者的標題顯示名稱屬性:The following example shows how to look up a user by the mail attribute and issue Title and Display Name claims, using the values of the user’s title and displayname attributes:

c:[Type == " http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress ", Issuer == "AD AUTHORITY"]  
=> issue(store = "AD LDS ", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/title","http://schemas.xmlsoap.org/ws/2005/05/identity/claims/displayname"), query = "mail={0};title;displayname", param = c.Value);  

下例示範如何查看使用者透過電子郵件和標題和再發行 [顯示名稱理賠要求使用使用者的顯示名稱屬性:The following example shows how to look up a user by mail and title and then issue a Display Name claim using the user’s displayname attribute:

c1:[Type == " http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"] && c2:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/title"]  
=> issue(store = "AD LDS ", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/displayname"), query = "(&(mail={0})(title={1}));displayname", param = c1.Value, param = c2.Value);  

範例: 如何查詢 Active Directory 屬性市集,並傳回指定的值Example: How to query an Active Directory attribute store and return a specified value

查詢 Active Directory 必須包含的使用者名稱 \ (的網域 name) 為最終參數,市集的 Active Directory 屬性可以查詢正確的網域。The Active Directory query must include the user’s name (with the domain name) as the final parameter so that the Active Directory attribute store can query the correct domain. 否則,支援的同一語法。Otherwise, the same syntax is supported.

下例示範如何查看使用者透過sAMAccountName屬性,對方可用自己的網域中,然後再將郵件屬性:The following example shows how to look up a user by the sAMAccountName attribute in his or her domain and then return the mail attribute:

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]  
=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"), query = "sAMAccountName={0};mail;{1}", param = regexreplace(c.Value, "(?<domain>[^\\]+)\\(?<user>.+)", "${user}"), param = c.Value);  

範例: 如何查詢 Active Directory 屬性存放區的價值,連入宣告Example: How to query an Active Directory attribute store based on the value of an incoming claim

c:[Type == "http://test/name"]  

   => issue(store = "Enterprise AD Attribute Store",  

         types = ("http://test/email"),  

         query = ";mail;{0}",  

         param = c.Value)  

下列三個部分是由先前查詢所組成:The previous query is made up of the following three parts:

  • LDAP 篩選器 — 指定這部分的查詢擷取您想要查詢屬性的物件。The LDAP filter—You specify this part of the query to retrieve the objects for which you want to query the attributes. 如需有效 LDAP 查詢一般資訊,RFC 2254。For general information about valid LDAP queries, see RFC 2254. 當您正在查詢 Active Directory 屬性網上商店和您不指定 LDAP 篩選 samAccountName\ = {0} 查詢和 Active Directory 屬性市集中所預期的參數,可摘要的值為 {0}。When you are querying an Active Directory attribute store and you do not specify an LDAP filter, the samAccountName={0} query is assumed and the Active Directory attribute store expects a parameter that can feed the value for {0}. 否則,查詢會導致發生錯誤。Otherwise, the query will result in an error. Active Directory 以外 LDAP 屬性網上商店,您無法省略查詢 LDAP 篩選部分或查詢會導致發生錯誤。For an LDAP attribute store other than Active Directory, you cannot omit the LDAP filter part of the query or the query will result in an error.

  • 屬性規格,您可以在此第二個部分查詢,指定屬性 \ (這是如果您使用多個屬性 values\ comma\ 分隔) 您想要退出篩選物件。Attribute specification—In this second part of the query, you specify the attributes (which are comma-separated if you use multiple attribute values) that you want out of the filtered objects. 屬性,指定數目必須符合您所定義在查詢宣告類型的數目。The number of attributes that you specify must match the number of claim types that you define in the query.

  • Active Directory domain-時,才屬性存放區 Active Directory 指定查詢的最後一部分。Active Directory domain—You specify the last part of the query only when the attribute store is Active Directory. \ (當您查詢其他屬性存放區。 並不需要 ) 查詢的這一角用於指定表單 domain\name 帳號。(It is not necessary when you query other attribute stores.) This part of the query is used to specify the user account in the form domain\name. Active Directory 屬性網上商店使用網域部分判斷適當的網域控制站連接到執行查詢及要求屬性。The Active Directory attribute store uses the domain part to determine the appropriate domain controller to connect to and run the query and request the attributes.

範例: 如何使用自訂的兩規則從 Active Directory 中屬性解壓縮管理員 e\ 郵件Example: How to use two custom rules to extract the manager e-mail from an attribute in Active Directory

下列兩個自訂規則,如下所示,順序一起使用時查詢 Active Directory 適用於管理員]屬性的使用者考慮 (Rule 1),然後使用該屬性查詢管理員的使用者 account郵件屬性 (Rule 2)。The following two custom rules, when used together in the order shown below, query Active Directory for the manager attribute of the user account (Rule 1) and then use that attribute to query the user account of the manager for the mail attribute (Rule 2). 最後,郵件如 「 ManagerEmail 」 取得發出屬性。Finally, the mail attribute is issued as a “ManagerEmail” claim. 在 [摘要] 規則 1 查詢 Active Directory,並傳送規則 2,然後擷取管理員 e\ 郵件值查詢的結果。In summary, Rule 1 queries Active Directory and passes the result of the query to Rule 2, which then extracts the manager e-mail values.

例如,執行這些規則完成,理賠要求會發出包含主管 e\ 郵件的地址 corp.fabrikam.com 網域中的使用者。For example, when these rules finish running, a claim is issued that contains the manager’s e-mail address for a user in the corp.fabrikam.com domain.

1 規則Rule 1

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]  
=> add(store = "Active Directory", types = ("http://schemas.xmlsoap.org/claims/ManagerDistinguishedName"), query = "sAMAccountName=  
{0};mail,userPrincipalName,extensionAttribute5,manager,department,extensionAttribute2,cn;{1}", param = regexreplace(c.Value, "(?  
<domain>[^\\]+)\\(?<user>.+)", "${user}"), param = c.Value);  

規則 2Rule 2

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]  
&& c1:[Type == "http://schemas.xmlsoap.org/claims/ManagerDistinguishedName"]  
=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/claims/ManagerEmail"), query = "distinguishedName={0};mail;{1}", param = c1.Value,   
param = regexreplace(c1.Value, ".*DC=(?<domain>.+),DC=corp,DC=fabrikam,DC=com", "${domain}\username"));  

注意

本規則運作只有在相同的使用者網域中的使用者的管理員是 \ (在本 example\ corp.fabrikam.com)。These rules work only if the user’s manager is in the same domain as the user (corp.fabrikam.com in this example).

其他參考資料Additional references

建立為宣告傳送 LDAP 屬性規則Create a Rule to Send LDAP Attributes as Claims