The overall function of the Federation Service in Active Directory Federation Services (AD FS) is to issue a token that contains a set of claims. AD FS接受哪些宣告聲明並發出這些宣告聲明的決定,是由宣告規則所控管。
What are claim rules?
宣告規則代表商業規則的實例,其會採用一或多個傳入宣告、將條件套用至它們(如果 x 則為 y),並根據條件參數產生一或多個傳出宣告。 For more information about incoming and outgoing claims, see The Role of Claims.
You use claim rules when you need to implement business logic that will control the flow of claims through the claims pipeline. While the claims pipeline is more a logical concept of the end-to-end process for flowing claims, claim rules are an actual administrative element that you can use to customize the flow of claims through the claims issuance process.
如需理賠流程的詳細資訊,請參閱 理賠引擎的角色。
Claim rules provide the following benefits:
提供一種機制,讓系統管理員在執行期間套用業務邏輯,以信任由宣告提供者發出的宣告。
提供一個機制,讓系統管理員定義哪些宣告會發行給信賴方
提供豐富且詳細的宣告型授權功能給想要允許或拒絕特定使用者存取權的系統管理員
聲明規則的處理過程
Claim rules are processed through the claims pipeline using the claims engine. 宣告引擎是同盟服務的邏輯元件,會檢查使用者所呈現的傳入宣告集,然後根據每個規則中的邏輯,產生一組宣告。
宣告規則引擎與指定同盟信任的相關宣告規則集合共同決定,傳入宣告應保持原樣傳遞、篩選配合特定條件,或轉換成全新宣告集,再由同盟服務發出作為傳出宣告。
For more information about this process, see The Role of the Claims Engine.
What are claim rule templates?
AD FS 包含一組預先定義的宣告規則範本,旨在協助您輕鬆選取並建立最適合您特定業務需求的宣告規則。 宣告規則範本只會在宣告規則建立程式期間使用。
在 AD FS 管理控制台中,只能使用宣告規則模板來創建規則。 After you use the snap-in to select a claim rule template, input the necessary data for the rule logic and save it to the configuration database, it will be (from that point forward) referred to in the UI as a claim rule.
宣告規則範本如何運作
At first glance, claim rule templates appear to be just input forms provided by the snap-in to collect data and process specific logic on incoming claims. 不過,在更詳細的層級,宣告規則範本會儲存必要的宣告規則語言架構,以構成您快速建立規則所需的基本邏輯,而不需要仔細了解語言。
Each template that is provided in the user interface (UI) represents a prepopulated claim rule language syntax, based on the most commonly required administrative tasks. There is one rule template however, that is the exception. 此範本稱為自定義規則範本。 使用此範本時,不會預先填入任何語法。 Instead you must directly author the claim rule language syntax in the body of the claim rule template form using the claim rule language syntax.
如需如何使用宣告規則語言語法的詳細資訊,請參閱 AD FS 部署指南中的 宣告規則語言 的角色。
小提示
You can view the claim rule language associated with a rule at any time by clicking the View Rule Language button on the properties of a claim rule.
How to create a claim rule
宣告規則是針對同盟服務中的每個同盟信任關聯單獨建立的,而且不會在多個信任關聯間共用。 您可以從宣告規則範本建立規則,從頭開始,方法是使用宣告規則語言撰寫規則,或使用 Windows PowerShell 來自定義規則。
所有這些選項都共存,可讓您彈性地為指定的案例選擇適當的方法。 如需如何建立宣告規則的詳細資訊,請參閱 AD FSDeployment 指南中的 設定宣告規則。
Using claim rule templates
宣告規則範本只會在宣告規則建立程式期間使用。 您可以使用下列任何樣本來建立宣告規則:
Pass Through or Filter an Incoming Claim
Transform an Incoming Claim
Send LDAP Attributes as Claims
Send Group Membership as a Claim
使用自訂規則傳送聲明
Permit or Deny Users Based on an Incoming Claim
允許所有使用者
如需描述每個宣告規則範本的詳細資訊,請參閱 決定要使用的宣告規則範本類型。
Using the claim rule language
對於超出標準宣告規則範本範圍的商務規則,您可以使用自定義規則範本,使用宣告規則語言來表達一系列複雜的邏輯條件。 如需使用自訂規則的詳細資訊,請參閱 何時使用自訂宣告規則。
使用 Windows PowerShell
您也可以搭配 Windows PowerShell 使用 ADFSClaimRuleSet Cmdlet 物件,在 AD FS 中建立或管理規則。 如需如何搭配此 Cmdlet 使用 Windows PowerShell 的詳細資訊,請參閱 AD FS Administration with Windows PowerShell。
What is a claim rule set?
如下圖所示,宣告規則集是指定同盟信任的一或多個規則群組,定義宣告規則引擎將如何處理宣告。 當同盟服務收到傳入宣告時,宣告規則引擎會套用適當宣告規則集所指定的邏輯。 It is the final sum of the logic from each rule in the set that will determine how claims will be issued for a given trust in its entirety.
宣告規則會依照指定規則集內的時序由宣告引擎處理。 這個順序很重要,因為一個規則的輸出可用來做為集合中下一個規則的輸入。
What are claim rule set types?
宣告規則集類型是同盟信任的邏輯區段,可明確識別與信任相關聯的宣告規則集是否會用於宣告發行、授權或接受。 每個同盟信任都可以有一或多個與其相關聯的宣告規則集類型,視所使用的信任類型而定。
下表描述不同類型的宣告規則集,並說明其與宣告提供者信任或信賴憑證者信任的關係。
| Claim rule set type | 說明 | Used on |
|---|---|---|
| Acceptance transform rule set | A set of claim rules that you use on a particular claims provider trust to specify the incoming claims that will be accepted from the claims provider organization and the outgoing claims that will be sent to the relying party trust. The incoming claims that will be used to source this rule set, will be the claims that are output by the issuance transform rule set as specified in the claims provider organization. 根據預設,宣告提供者信任節點包含名為 Active Directory 的宣告提供者信任,用來代表接受轉換規則集的來源屬性存放區。 此信任物件可用來代表從同盟服務到網路上 Active Directory 資料庫的連線。 此預設信任會處理經 Active Directory 驗證的使用者的宣告,且無法刪除。 |
Claims provider trusts |
| Issuance Transform Rule Set | A set of claim rules that you use on a relying party trust to specify the claims that will be issued to the relying party. 將用來來源此規則集的傳入宣告,一開始會是接受轉換規則所輸出的宣告。 |
Relying party trusts |
| 發行授權規則集 | A set of claim rules that you use on a relying party trust to specify the users that will be permitted to receive a token for the relying party. These rules determine whether a user can receive claims for a relying party and, therefore, access to the relying party. 除非您指定發行授權規則,否則所有用戶默認都會遭到拒絕存取。 |
Relying party trusts |
| 委派授權規則集 | A set of claim rules that you use on a relying party trust to specify the users that will be permitted to act as delegates for other users to the relying party. These rules determine whether the requester is permitted to impersonate a user while still identifying the requester in the token that is sent to the relying party. 除非您指定委派授權規則,否則預設無法讓使用者擔任委派角色。 |
Relying party trusts |
| Impersonation Authorization Rule Set | A set of claim rules that you configure using Windows PowerShell to determine whether a user can fully impersonate another user to the relying party. These rules determine whether the requester is permitted to impersonate a user without identifying the requester in the token that is sent to the relying party. 以這種方式冒充其他使用者是一項非常強大的功能,因為信賴方不會知道使用者正在被冒充。 |
Relying party trust |
如需選取組織中要使用的適當宣告規則的詳細資訊,請參閱 決定要使用的宣告規則範本類型。