Mapping Claims as Part of Application Authorization

Applies To: Windows Server 2003 R2

Claims that are used by Active Directory Federation Services (ADFS) make it possible for an application in one organization to recognize and authorize users from a different organization or from the Internet. By creating claims to represent users in the account organization, and mapping them to a group that is recognized by the resource, you can enable authorization of users for applications that are protected by ADFS in a federated scenario.

Task requirements

You must meet the following conditions to perform the procedures for this task:

• ADFS must be installed to create at least one federation server in your forest or realm.

• The Active Directory Federation Services snap-in must be running on the federation server.

• Active Directory or Active Directory Application Mode (ADAM) must be available in the account forest or realm.

• You must have a plan for creating claims and mapping them to the appropriate users and groups if you are managing an account Federation Service, or to a set of local claims if you are managing a resource Federation Service.

To complete this task, perform the following procedures on an as-needed basis:

• Map an organization group claim to an Active Directory group (group claim extraction)

• Map an organization group claim to a resource group

• Create an incoming group claim mapping

• Create an incoming custom claim mapping

• Create an outgoing group or custom claim mapping

• Change the organization claim mapping of an outgoing group or custom claim

• Change the organization claim mapping of an incoming group or custom claim

Understanding Claims