It is important to understand claim sets as part of the claims pipeline. When claims come in, they are a part of the incoming claim set. After claims are processed by claim rules,
they become part of the outgoing claim set. An important piece to understand is there is an incoming and outgoing claim set for the Claims Provider Trust and for the Relying Party Trust, so there are two places claims can be processed before leaving AD FS.
Read more about the claims pipeline
If the condition statement is true, the issuance statement will be executed. If the condition statement is
false, the engine will move on to the next rule.
Example: Simple Claims Rule Syntax
Condition statements look at all incoming claims and determine if there is one that matches the condition.
The following properties can be queried in an incoming claim:
The format for querying an incoming claim is c:[query] where the variable c represents a claim in the incoming claim set. The query can be more
specific and check for more than one property. See some of the examples below to get an idea of how the format works. The two examples below are not complete syntax, as they are missing the issuance statement.
Example: Check for an incoming claim type http://contoso.com/department
There are two types of issuance statements to use.
The ADD issuance statement is used to add additional claims to the incoming claim set so that subsequent claim rules can use them for processing. The ISSUE issuance statement is used to add claims to the outgoing claim.
Example: Issue a claim http://contoso.com/department to the outgoing claim set
Another possibility is to have multiple conditions, and if all conditions evaluate to true, run the issuance statement. Each condition is joined using the
&& special operator. There is not a logical OR operator. To accomplish an OR, create
separate claim rules.
Example: Check for an incoming claim type http://contoso.com/role with a value of
separate incoming claim type http://contoso.com/role with a value of Manager. If both are found, issue a claim
http://contoso.com/role with the value of Managing Editor
The values of each individual incoming claim can be accessed and joined using the special operator
+ in the issuance statement.
Example: Check for an incoming claim type http://contoso.com/location and
separate incoming claim type http://contoso.com/role. If both are found, issue a claim
http://contoso.com/targetedrole combining the values of the incoming roles
Typical claims rules will issue an output claim for each match it finds. Aggregate functions will issue or add a single claim
regardless of the number of matches. The EXISTS function serves this purpose.
Example: Claims rule without an Aggregate Function
Example: Claim Rule that uses the COUNT Aggregate Function
This claim rule will issue the claim if the user has two or more proxy address claims.
Regular Expressions (regex) can be used in the condition or issuance statements. In a condition statement, regex allows similar matches to evaluate true. In issuance statements, regex allows parts of the string values to be used in the outgoing claim.
Regular Expressions use special characters to perform various tasks inside a string.
Active Directory is the default store created when AD FS 2.0 is installed. SQL attribute stores and LDAP attribute stores can also be defined. The condition statement remains the same, but the issuance statement changes depending on which attribute store
If user data is located in a SQL database, the Claim Rule Language can query the database and generate claims based on the information in the database.
Example: Claim rule using a SQL Attribute Store
If user data is located in a LDAP store, the Claim Rule Language can query it and generate claims based on the information in the store.
Example: Claim rule using an LDAP Attribute Store
There are many good articles that
supplement the data in this article.
AD FS 2.0 Content Map
When to Use a Custom Claim Rule:
The Role of the Claim Rule Language:
The Role of the Claims Engine: