適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

使用轉換理賠要求規則When to Use a Transform Claim Rule

傳出宣告類型對應傳入宣告類型,然後再套用執行的動作,會判斷何種輸出應該會發生的值,連入宣告源自您需要時,您可以使用在 Active Directory 同盟服務 (AD FS) 本規則。You can use this rule in Active Directory Federation Services (AD FS) when you need to map an incoming claim type to an outgoing claim type and then apply an action that will determine what output should occur based on the values that originated in the incoming claim. 當您使用此規則時,您通過或轉換宣告符合下列規則邏輯操作,根據其中一個選項,您設定在規則,如下表所示。When you use this rule, you pass through or transform claims that match the following rule logic, based on either of the options that you configure in the rule, as described in the following table.

規則選項Rule option 邏輯規則Rule logic
通過所有輸入宣告Pass through all incoming claims 如果輸入宣告類型等於指定宣告類型和值等的任何值,然後傳遞傳出宣告輸入等透過主張指定宣告類型If incoming claim type equals specified claim type and value equals any value, then pass the claim through with outgoing claim type equals specified claim type
使用不同的傳出宣告值取代傳入宣告值Replace an incoming claim value with a different outgoing claim value 如果傳入宣告類型等於指定宣告類型和值等指定宣告值,然後轉換理賠要求的新傳出宣告值指定宣告值與傳出宣告類型及指定宣告類型If incoming claim type equals specified claim type and value equals specified claim value, then transform the claim with new outgoing claim value specified claim value and with outgoing claim type specified claim type
使用新的電子郵件 e\ 尾碼取代連入 e\ 郵件尾碼宣告Replacing incoming e-mail suffix claims with a new e-mail suffix 如果傳入宣告類型等於指定宣告類型和值等任何尾碼值,然後轉換理賠要求的新傳出宣告值指定尾碼值與傳出宣告類型及指定宣告類型If incoming claim type equals specified claim type and value equals any suffix value, then transform the claim with new outgoing claim value specified suffix value and with outgoing claim type specified claim type

下列章節提供基本簡介取得規則,並提供時使用此規則有關的進一步詳細資料。The following sections provide a basic introduction to claim rules and provide further details about when to use this rule.

關於理賠要求規則About claim rules

宣告規則表示商務邏輯操作,將需要連入宣告、 適用於條件的執行個體 \ (如果 x 然後 y\) 和產生傳出宣告依據條件的參數。A claim rule represents an instance of business logic that will take an incoming claim, apply a condition to it (if x then y) and produce an outgoing claim based on the condition parameters. 下列清單輪廓重要您進一步讀取之前,您必須知道的相關的提示取得規則本主題中:The following list outlines important tips that you should know about claim rules before you read further in this topic:

  • AD FS snap\ 中管理,在理賠要求規則只能建立使用理賠要求規則範本In the AD FS Management snap-in, claim rules can only be created using claim rule templates

  • 宣告規則處理程序傳入宣告直接從宣告提供者 \ (例如 Active Directory 或其他聯盟 Service\) 或接受的輸出從轉換宣告提供者信任規則。Claim rules process incoming claims either directly from a claims provider (such as Active Directory or another Federation Service) or from the output of the acceptance transform rules on a claims provider trust.

  • 宣告發行引擎順序特定的規則集中處理理賠要求規則。Claim rules are processed by the claims issuance engine in chronological order within a given rule set. 藉由設定優先順序規則,可以進一步改善或篩選宣告專特定的規則設定中的上一個規則。By setting precedence on rules, you can further refine or filter claims that are generated by previous rules within a given rule set.

  • 宣告規則範本一律會要求您指定傳入宣告類型。Claim rule templates will always require you to specify an incoming claim type. 不過,您可以使用單一規則相同宣告類型處理多個理賠要求值。However, you can process multiple claim values with the same claim type using a single rule.

如需詳細資訊理賠要求規則及宣告規則集合,請查看的角色的取得規則For more detailed information about claim rules and claim rule sets, see The Role of Claim Rules. 如需規則的處理方式的相關資訊,請查看的角色宣告引擎的For more information about how rules are processed, see The Role of the Claims Engine. 宣告規則集合的處理方式的相關資訊,請查看的角色宣告管線的For more information how claim rule sets are processed, see The Role of the Claims Pipeline.

通過所有宣告值Pass through all claim values

當使用此動作,請所有傳入宣告值來指定傳入宣告類型的輸入,對應至傳出宣告類型指定為傳出宣告傳送到同盟服務登入的發行前。When using this action, all incoming claim values that are keyed to a specified incoming claim type are mapped to a specified outgoing claim type before they are sent as outgoing claims into tokens that are signed by your Federation Service.

例如,當規則設定使用通過所有取得值選項邏輯操作,連入取得類型的群組並指定傳出宣告類型的角色,從發行者 flow 中的所有傳入宣告值複製到新的傳出宣告宣告類型的角色與排列。For example, when a rule is set with the Pass through all claim values option logic and the incoming claim type of Group and the outgoing claim type of Role is specified, all incoming claim values that flow in from the issuer are copied individually into new outgoing claims with claim type of Role.

轉換理賠要求Transforming a claim

AD FS、 字詞在宣告轉換來取代一個傳入取得不同傳出宣告數值值。In AD FS, the term claims transformation means to replace one incoming claim value with a different outgoing claim value. 這是此功能可以讓傳入理賠要求規則轉換。It is the Transform an Incoming Claim rule that makes this function possible. 在此規則的屬性,您可以設定條件轉換不同傳出宣告值根據指定傳入宣告類型輸入值。Within the properties of this rule, you can set conditions to transform incoming values with a different outgoing claim value based on the specified incoming claim type.

例如,如圖,規則條件的設定值來取代連入值不同傳出宣告時,群組的所有傳入宣告類型對應至新傳出宣告類型的角色。For example, as shown in the following illustration, when a rule is set with the condition to replace an incoming value with a different outgoing claim value, all incoming claim types of Group are mapped to new outgoing claim types of Role. 在這種情形下,連入宣告值的購買取代系統的新傳出宣告值In this case, the incoming claim value of Purchaser is replaced with the new outgoing claim value of Admin.

使用轉換

您也可以使用此規則套用條件,將所有連入宣告取代指定的 e\ 電子郵件尾碼值,以新值。You can also use this rule to apply a condition that will replace all incoming claims with a specified e-mail suffix value with a new value. 例如,您可以設定條件中變更所有宣告值,以 sales.corp.fabrikam.com fabrikam.com 此規則。For example, you could set a condition in this rule to change all claim values with the suffix of sales.corp.fabrikam.com to fabrikam.com.

宣告提供者信任上設定此規則Configuring this rule on a claims provider trust

當您使用信任宣告提供者時,連入宣告宣告提供者轉換可信度對等可以設定此規則。When you use a claims provider trust, this rule can be configured to transform incoming claims from the claims provider into trustworthy equivalents. 宣告類型或取得的值可以在組織中宣告提供者比組織中有不同的意義。Claim types or claim values can have a different meaning in your organization than in the claims provider organizations. 您可以使用此規則標準化來自宣告提供者,使其傳出宣告對等可以了解信賴的值與宣告類型。You can use this rule to normalize the claim types and values that come from the claims provider so that their outgoing claim equivalents can be understood by the relying party.

信賴的派對信任上設定此規則Configuring this rule on a relying party trust

當您使用信賴的派對信任時,可以設定此規則来轉換的特定信賴宣告。When you use a relying party trust, this rule can be configured to transform claims for the specific relying party. 宣告類型,或者取得值特定信賴,可能會有不同的意義以及此規則可讓您變更單一信賴的值與傳出宣告類型。Claim types or claim values might have a different meaning for a specific relying party, and this rule makes it possible for you to change the outgoing claim types and values for a single relying party.

如何建立本規則How to create this rule

建立使用理賠要求規則語言或使用轉換取得連入AD FS 管理 snap\ 中的 [規則範本。You create this rule using either the claim rule language or using the Transform an Incoming Claim rule template in the AD FS Management snap-in. 此規則範本提供下列設定選項:This rule template provides the following configuration options:

  • 指定名稱理賠要求規則Specify a claim rule name

  • 轉換指定傳出宣告類型特定傳入宣告類型Transform a specific incoming claim type to a specified outgoing claim type

  • 通過所有宣告值Pass through all claim values

  • 使用不同的傳出宣告值取代傳入宣告值Replace an incoming claim value with a different outgoing claim value

  • 使用新的電子郵件 e\ 尾碼取代連入 e\ 郵件尾碼宣告Replace incoming e-mail suffix claims with a new e-mail suffix

如需如何建立此範本後續的指示操作,建立轉換連入宣告規則中的 AD FS 部署。For more instructions on how to create this template, see Create a Rule to Transform an Incoming Claim in the AD FS Deployment Guide.

使用語言理賠要求規則Using the claim rule language

如果必須從的多個連入宣告 content 建構傳出宣告,您必須改為使用自訂規則。If the outgoing claim must be constructed from the content of more than one incoming claim, you must use a custom rule instead. 如果傳出宣告宣告值必須為基礎的值,連入宣告的但包含其他 content,您還必須在此環境來使用自訂規則。If the claim value of the outgoing claim must be based on the value of the incoming claim—but with additional content—you must also use a custom rule in that context. 如需詳細資訊,請查看使用自訂理賠要求規則For more information, see When to Use a Custom Claim Rule.

如何建立轉換規則語法的範例Examples of how to construct a transform rule syntax

當使用理賠要求規則語言語法轉換宣告,您可以設定轉換成新的對應值宣告的屬性。When using the claim rule language syntax to transform claims, you can set a property of the transformed claim to a new literal value. 例如下列規則變更角色宣告的值 「 系統管理員 」 的 「 根 「 同時保留相同宣告類型:For example, the following rule changes the value of role claims from “Administrators” to “root” while keeping the same claim type:

c:[type == “http://schemas.microsoft.com/ws/2008/06/identity/claims/role”, value == “Administrators”]  => issue(type = c.type, value = “root”);  

一般運算式也可用於宣告轉換。Regular expressions can also be used for claim transformations. 例如,下列規則會網域設定 windows 使用者名稱宣告網域 \ 使用者格式 fabrikam:For example, the following rule will set the domain in windows user name claims in DOMAIN\USER format to FABRIKAM:

c:[type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"] => issue(type = c.type, value = regexreplace(c.value, "(?<domain>[^\\]+)\\(?<user>.+)", "FABRIKAM\${user}"));  

建立自訂規則最佳做法Best practices for creating custom rules

宣告轉換可以選擇性套用到使用 [基本篩選功能選取主張。Claims transformations can be selectively applied to claims selected using basic filtering capabilities. 每個理賠要求屬性用於篩選可指定值,注意事項如下:Each of the claim properties used for filtering can be assigned values, with the following caveats:

取得屬性Claim property 描述Description
值類型,值,鍵入Type, Value, ValueType 指派將最常使用這些屬性。These properties will be most frequently used for assignments. 必須指定至少輸入和值轉換結果理賠要求。At the very least type and value must be specified for the resulting transformed claim.
發行者Issuer 宣告規則語言允許理賠要求的發行者的設定,這通常不建議。While the claim rule language allows setting the Issuer of a claim, this is generally not advisable. 理賠要求的發行者則不會序列化權杖中。The issuer of a claim is not serialized in the token. 預付碼收到時所有宣告的發行者屬性是設定同盟伺服器簽署預付碼。When a token is received the Issuer property of all claims is set to the identifier of the federation server that signed the token. 因此,設定理賠要求的發行者規則中將不會影響到預付碼和後宣告封裝權杖中的設定將會遺失。Thus, setting the issuer of a claim in the rules will not have effect on the contents of the token and the setting will be lost once the claim is packaged in a token. 位置設定的理賠要求發行者合理的唯一案例是它設宣告提供者規則設定和設定為規則參考此特定的值與撰寫信賴廠商規則特定的值。The only scenario where setting the issuer of a claim makes sense is if it is set to a specific value in the claims provider rule set and relying party rule set is authored with rules that reference this specific value. 如果發行者屬性未明確設定理賠要求規則宣告發行引擎將其設為 [本機授權單位 」 中的值。If the Issuer property is not explicitly set to a value in a claim rule the claims issuance engine sets it to “LOCAL AUTHORITY”.
OriginalIssuerOriginalIssuer 同樣地發行者,以 OriginalIssuer 通常不應明確指派值。Similarly to Issuer, OriginalIssuer should generally not be explicitly assigned a value. 然而發行者 OriginalIssuer 屬性序列化在權杖中,但權杖消費者的如果設定時,它會包含識別碼聯盟伺服器的初次發行理賠要求。Unlike Issuer, the OriginalIssuer property is serialized in the token, but the expectation of token consumers is that, if set, it will contain the identifier of the federation server that originally issued a claim.
屬性Properties 上一節所述,屬性包理賠要求的未保存在權杖,因此如果後續的本機原則前往參考屬性中儲存的資訊,應該只完成屬性的設定。As outlined in the previous section, the Property bag of a claim is not persisted in the token, so assignments to properties should only be done if subsequent local policies are going to reference the information stored in the property.

如需有關如何使用理賠要求規則語言,請查看角色取得規則語言的For more information about how to use the claim rule language, see The Role of the Claim Rule Language.