適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

使用授權理賠要求規則When to Use an Authorization Claim Rule

當您需要輸入宣告類型並再適用於執行的動作,會判斷使用者是否會允許或無法存取您指定規則值,您可以使用在 Active Directory 同盟服務 (AD FS) 本規則。You can use this rule in Active Directory Federation Services (AD FS) when you need to take an incoming claim type and then apply an action that will determine whether a user will be permitted or denied access based on the value that you specify in the rule. 當您使用此規則時,您通過或轉換宣告符合下列規則邏輯操作,根據您設定的規則選項:When you use this rule, you pass through or transform claims that match the following rule logic, based on either of the options you configure in the rule:

規則選項Rule option 邏輯規則Rule logic
允許所有使用者Permit all users 如果輸入宣告類型等於任何宣告類型和值等的任何值,問題然後取得的值等允許If incoming claim type equals any claim type and value equals any value, then issue claim with value equals Permit
允許此傳入理賠要求的使用者存取Permit access to users with this incoming claim 如果輸入宣告類型等於指定宣告類型和值等指定宣告值,問題然後取得的值等允許If incoming claim type equals specified claim type and value equals specified claim value, then issue claim with value equals Permit
拒絕這個傳入理賠要求的使用者存取Deny access to users with this incoming claim 如果輸入宣告類型等於指定宣告類型和值等指定宣告值,問題然後取得的值等拒絕If incoming claim type equals specified claim type and value equals specified claim value, then issue claim with value equals Deny

下列章節提供基本簡介取得規則,並提供時使用此規則有關的進一步詳細資料。The following sections provide a basic introduction to claim rules and provide further details about when to use this rule.

關於理賠要求規則About claim rules

宣告規則表示商務邏輯操作,將需要連入宣告、 適用於條件的執行個體 \ (如果 x 然後 y\) 和產生傳出宣告依據條件的參數。A claim rule represents an instance of business logic that will take an incoming claim, apply a condition to it (if x then y) and produce an outgoing claim based on the condition parameters. 下列清單輪廓重要您進一步讀取之前,您必須知道的相關的提示取得規則本主題中:The following list outlines important tips that you should know about claim rules before you read further in this topic:

  • AD FS snap\ 中管理,在理賠要求規則只能建立使用理賠要求規則範本In the AD FS Management snap-in, claim rules can only be created using claim rule templates

  • 宣告規則處理程序傳入宣告直接從宣告提供者 \ (例如 Active Directory 或其他聯盟 Service\) 或接受的輸出從轉換宣告提供者信任規則。Claim rules process incoming claims either directly from a claims provider (such as Active Directory or another Federation Service) or from the output of the acceptance transform rules on a claims provider trust.

  • 宣告發行引擎順序特定的規則集中處理理賠要求規則。Claim rules are processed by the claims issuance engine in chronological order within a given rule set. 藉由設定優先順序規則,可以進一步改善或篩選宣告專特定的規則設定中的上一個規則。By setting precedence on rules, you can further refine or filter claims that are generated by previous rules within a given rule set.

  • 宣告規則範本一律會要求您指定傳入宣告類型。Claim rule templates will always require you to specify an incoming claim type. 不過,您可以使用單一規則相同宣告類型處理多個理賠要求值。However, you can process multiple claim values with the same claim type using a single rule.

如需詳細資訊理賠要求規則及宣告規則集合,請查看的角色的取得規則For more detailed information about claim rules and claim rule sets, see The Role of Claim Rules. 如需規則的處理方式的相關資訊,請查看的角色宣告引擎的For more information about how rules are processed, see The Role of the Claims Engine. 宣告規則集合的處理方式的相關資訊,請查看的角色宣告管線的For more information how claim rule sets are processed, see The Role of the Claims Pipeline.

允許所有使用者Permit All Users

當您使用 [允許所有使用者規則範本時,所有使用者將都可以存取信賴。When you use the Permit All Users rule template, all users will have access to the relying party. 不過,您可以使用其他授權規則進一步的限制存取。However, you can use additional authorization rules to further restrict access. 如果一個規則允許使用者存取信賴,另一個規則的使用者存取拒絕信賴,拒絕將會覆寫允許結果,使用者無法存取。If one rule permits a user to access the relying party, and another rule denies the user access to the relying party, the deny result overrides the permit result and the user is denied access.

使用者可以存取信賴從同盟服務可能仍然無法服務所信賴。Users who are permitted access to the relying party from the Federation Service may still be denied service by the relying party.

允許此傳入理賠要求的使用者存取Permit access to users with this incoming claim

當您使用允許] 或 [拒絕型使用者在收到取得規則範本建立規則,並設定的條件,以允許時,您可以存取特定使用者的許可信賴根據類型及連入宣告的值。When you use the Permit or Deny Users Based on an Incoming Claim rule template to create a rule and set the condition to permit, you can permit specific user’s access to the relying party based on the type and value of an incoming claim. 例如,您可以使用此規則範本來建立,允許的值為網域系統管理員取得群組那些使用者規則。For example, you can use this rule template to create a rule that will permit only those users that have a group claim with a value of Domain Admins. 如果一個規則允許使用者存取信賴,另一個規則的使用者存取拒絕信賴,拒絕將會覆寫允許結果,使用者無法存取。If one rule permits a user to access the relying party, and another rule denies the user access to the relying party, the deny result overrides the permit result and the user is denied access.

使用者可以存取信賴從同盟服務可能仍然無法服務信賴。Users who are permitted to access the relying party from the Federation Service may still be denied service by the relying party. 如果您想要允許所有使用者存取信賴,使用都允許所有使用者規則範本。If you want to permit all users to access the relying party, use the Permit All Users rule template.

拒絕這個傳入理賠要求的使用者存取Deny access to users with this incoming claim

當您使用允許] 或 [拒絕型使用者在收到取得規則範本建立規則,並設定拒絕條件時,您可以根據類型及值連入宣告信賴拒絕使用者的存取權。When you use the Permit or Deny Users Based on an Incoming Claim rule template to create a rule and set the condition to deny, you can deny user’s access to the relying party based on the type and value of an incoming claim. 例如,您可以使用此規則範本建立會拒絕群組的所有使用者都取得值網域使用者的使用規則。For example, you can use this rule template to create a rule that will deny all users that have a group claim with a value of Domain Users.

如果您想要使用的拒絕條件,但也可讓存取特定使用者信賴,您必須稍後明確新增與允許條件以信賴那些使用者存取授權規則。If you want to use the deny condition yet also enable access to the relying party for specific users, you must later explicitly add authorization rules with the permit condition to enable those users access to the relying party.

如果使用者無法存取宣告發行引擎處理規則設定時,進一步規則處理關機時,並在 AD FS 傳回 「 存取 「 錯誤的使用者要求。If a user is denied access when the claims issuance engine processes the rule set, further rules processing shuts down, and AD FS returns an “Access denied” error to the user’s request.

授權使用者Authorizing users

AD FS 中, 授權規則用於發行允許或拒絕理賠要求的使用者或群組中的使用者是否會判斷 \ (根據理賠要求輸入 used) 會允許或無法存取 Web\ 型指定信賴的資源。In AD FS, authorization rules are used to issue a permit or deny claim that will determine whether a user or a group of users (depending on the claim type used) will be allowed to access Web-based resources in a given relying party or not. 授權規則只能信賴廠商信任上設定。Authorization rules can only be set on relying party trusts.

授權規則集合Authorization rule sets

其他授權規則集存在根據允許的類型或拒絕您需要進行的操作。Different authorization rule sets exist depending on the type of permit or deny operations you need to configure. 這些規則集包括:These rule sets include:

  • 發行授權規則: 本規則判斷使用者是否可以收到宣告信賴的並,因此可存取信賴。Issuance Authorization Rules: These rules determine whether a user can receive claims for a relying party and, therefore, access to the relying party.

  • 委派授權規則: 本規則判斷使用者是否可做為另一位使用者信賴。Delegation Authorization Rules: These rules determine whether a user can act as another user to the relying party. 當使用者做為另一位使用者時,宣告要求的使用者仍然位於預付碼。When a user is acting as another user, claims about the requesting user are still placed in the token.

  • 模擬授權規則: 本規則判斷使用者是否可以完全模擬信賴的其他使用者。Impersonation Authorization Rules: These rules determine whether a user can fully impersonate another user to the relying party. 模擬另一位使用者,所以功能非常強大信賴並不知道正在模擬使用者。Impersonating another user is a very powerful capability, because the relying party will not know that the user is being impersonated.

如需詳細資訊授權規則程序如何納入宣告發行管線,查看宣告發行引擎的角色。For more details about how the authorization rule process fits into the claims issuance pipeline, see The Role of the Claims Issuance Engine.

支援的宣告類型Supported claim types

廣告 FSdefines 兩個宣告用來判斷使用者是否要允許或拒的類型。AD FSdefines two claim types that are used to determine whether a user is permitted or denied. 這些取得類型統一資源識別碼 (URIs) 如下所示:These claim type Uniform Resource Identifiers (URIs) are as follows:

  1. 允許: http:////schemas.microsoft.com/authorization/claims/permitPermit: http://schemas.microsoft.com/authorization/claims/permit

  2. 拒絕: http:////schemas.microsoft.com/authorization/claims/denyDeny: http://schemas.microsoft.com/authorization/claims/deny

如何建立本規則How to create this rule

您可以使用理賠要求規則語言或使用兩個授權規則來建立允許所有使用者規則範本或允許] 或 [拒絕使用者根據傳入取得AD FS 管理 snap\ 中的 [規則範本。You can create both authorization rules using either the claim rule language or using the Permit All Users rule template or the Permit or Deny Users Based on an Incoming Claim rule template in the AD FS Management snap-in. 允許所有使用者規則範本不提供任何設定的選項。The Permit All Users rule template does not provide any configuration options. 不過,允許] 或 [拒絕使用者根據連入宣告規則範本提供下列設定選項:However, the Permit or Deny Users Based on an Incoming Claim rule template provides the following configuration options:

  • 指定名稱理賠要求規則Specify a claim rule name

  • 指定傳入宣告類型Specify an incoming claim type

  • 輸入傳入宣告值Type an incoming claim value

  • 允許此傳入理賠要求的使用者存取Permit access to users with this incoming claim

  • 拒絕這個傳入理賠要求的使用者存取Deny access to users with this incoming claim

如需如何建立此範本後續的指示操作,建立規則允許所有使用者上連入宣告建立規則允許或拒絕型使用者中的 AD FS 部署。For more instructions on how to create this template, see Create a Rule to Permit All Users or Create a Rule to Permit or Deny Users Based on an Incoming Claim in the AD FS Deployment Guide.

使用語言理賠要求規則Using the claim rule language

如果宣告值符合自訂模式時,才應傳送理賠要求,您必須使用 [自訂規則。If a claim should be sent only when the claim value matches a custom pattern, you must use a custom rule. 如需詳細資訊,請查看使用自訂理賠要求規則For more information, see When to Use a Custom Claim Rule.

如何建立根據多宣告授權規則的範例Example of how to create an authorization rule based on multiple claims

當使用理賠要求規則語言語法授權宣告,請理賠要求可以也會發出根據有多個索賠項目中的使用者原始宣告。When using the claim rule language syntax to authorize claims, a claim can also be issued based on the presence of multiple claims in the user’s original claims. 下列規則問題授權宣告使用者編輯器群組成員,並使用 Windows 驗證驗證時才:The following rule issues an authorization claim only if the user is a member of the group Editors and has authenticated using Windows authentication:

[type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod",   
value == "urn:federation:authentication:windows" ]  
&& [type == "http://schemas.xmlsoap.org/claims/Group ", value == “editors”]   
=> issue(type = "http://schemas.xmlsoap.org/claims/authZ", value = "Granted");  

如何建立授權的範例規則,將會委派人員可以建立,或移除聯盟伺服器 proxy 信任Example of how to create authorization rules that will delegate who can create or remove federation server proxy trusts

聯盟服務可以使用聯盟 proxy 伺服器重新導向 client 要求之前,同盟服務與聯盟伺服器 proxy 電腦之間必須先建立信任。Before a Federation Service can use a federation server proxy to redirect client requests, a trust must first be established between the Federation Service and the federation server proxy computer. 根據預設,建立 proxy 信任時其中一項下列認證提供成功 AD FS 聯盟伺服器 Proxy 設定精靈中:By default, a proxy trust is established when either of the following credentials is provided successfully in the AD FS Federation Server Proxy Configuration Wizard:

  • 服務帳號,並使用的 proxy 將保護同盟服務,The service account, used by the Federation Service, that the proxy will protect

  • Active Directory domain account 上所有的聯盟伺服器聯盟伺服器在本機系統管理員群組成員An Active Directory domain account that is a member of the local Administrators group on all federation servers in a federation server farm

當您想要指定的使用者可以建立 proxy 信任指定同盟服務時,您可以使用下列委派方法。When you want to specify which user or users can create a proxy trust for a given Federation Service, you can use any of the following delegation methods. 此清單的方法是根據最安全且至少問題的方法委派 AD FS product 小組建議的優先順序。This list of methods is in priority order, based on the AD FS product team’s recommendations of the most secure and least problematic methods of delegation. 它會需要使用只是一種方法,根據您的組織的需求:It is necessary to use only one of these methods, depending on the needs of your organization:

  1. 在 Active Directory 中建立網域安全性群組 \ (例如,FSProxyTrustCreators\),將這個群組新增至本機系統管理員群組每個聯盟伺服器,並再新增只使用者帳號,您要委派新群組此權限。Create a domain security group in Active Directory (for example, FSProxyTrustCreators), add this group to the local Administrators group on each of the federation servers in the farm, and then add only the user accounts to which you want to delegate this right to the new group. 這是慣用的方法。This is the preferred method.

  2. 新增使用者的網域 account 每個聯盟伺服器管理員群組。Add the user’s domain account to the administrator group on each of the federation servers in the farm.

  3. 如果因為某些原因您無法使用這兩種方法,您也可以為這個項目的建立授權規則。If for some reason you cannot use either of these methods, you can also create an authorization rule for this purpose. 雖然不建議這樣做,因為可能複雜是否有此規則撰寫不正確,可能會發生的您可以使用 [自訂授權規則委派網域帳號可以也建立,或甚至移除之間指定同盟服務相關聯的所有聯盟伺服器 proxy 信任的 Active Directory。Although it is not recommended—because of possible complications that may occur if this rule is not written correctly—you can use a custom authorization rule to delegate which Active Directory domain user accounts can also create or even remove the trusts between all the federation server proxies that are associated with a given Federation Service.

    如果您選擇方法 3 時,您可以使用下列語法規則發行,可讓指定的使用者的授權宣告 \ (在本案例,contoso\frankm\) 來建立信任一或多個聯盟 proxy 伺服器同盟服務。If you choose method 3, you can use the following rule syntax to issue an authorization claim that will allow a specified user (in this case, contoso\frankm) to create trusts for one or more federation server proxies to the Federation Service. 您必須套用此規則使用 Windows PowerShell 命令Set-ADFSProperties AddProxyAuthorizationRulesYou must apply this rule using the Windows PowerShell command Set-ADFSProperties AddProxyAuthorizationRules.

    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", issuer=~"^AD AUTHORITY$" value == "contoso\frankm" ] => issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "true")  
    
    exists([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value == "S-1-5-32-544", Issuer =~ "^AD AUTHORITY$"])   
    => issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "true");  
    
    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid", Issuer =~ "^AD AUTHORITY$" ] => issue(store="_ProxyCredentialStore",types=("http://schemas.microsoft.com/authorization/claims/permit"),query="isProxyTrustManagerSid({0})", param= c.Value );  
    
    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/proxytrustid", Issuer =~ "^SELF AUTHORITY$" ] => issue(store="_ProxyCredentialStore",types=("http://schemas.microsoft.com/authorization/claims/permit"),query="isProxyTrustProvisioned({0})", param=c.Value );  
    

    之後,如果您想要移除,讓使用者可以不再建立 proxy 信任的使用者,您可以回復至預設 proxy 信任的授權来移除的規則使用者建立 proxy 信任同盟服務的權限。Later, if you want to remove the user so that the user can no longer create proxy trusts, you can revert to the default proxy trust authorization rule to remove the right for the user to create proxy trusts for the Federation Service. 您必須也適用於此規則使用 Windows PowerShell 命令Set-ADFSProperties AddProxyAuthorizationRulesYou must also apply this rule using the Windows PowerShell command Set-ADFSProperties AddProxyAuthorizationRules.

    exists([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value == "S-1-5-32-544", Issuer =~ "^AD AUTHORITY$"])   
    => issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "true");  
    
    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid", Issuer =~ "^AD AUTHORITY$" ] => issue(store="_ProxyCredentialStore",types=("http://schemas.microsoft.com/authorization/claims/permit"),query="isProxyTrustManagerSid({0})", param= c.Value );  
    
    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/proxytrustid", Issuer =~ "^SELF AUTHORITY$" ] => issue(store="_ProxyCredentialStore",types=("http://schemas.microsoft.com/authorization/claims/permit"),query="isProxyTrustProvisioned({0})", param=c.Value );  
    

如需有關如何使用理賠要求規則語言,請查看角色取得規則語言的For more information about how to use the claim rule language, see The Role of the Claim Rule Language.