Managing Claims and Claim Mapping

Applies To: Windows Server 2003 R2

In an Active Directory Federation Services (ADFS) deployment, claims are statements about users that are carried within security tokens and are used by Web applications to make authorization decisions. Claims originate from either an account store or an account partner.

When administering an account store in a Federation Service, you perform the following claim management procedures:

• Create a claim that represents a user or group of users from your organization.

• Extract the claim to map it to a local security account (either a group or user) in your directory service.

• Map the claim to an outgoing identity that you name to appropriately represent the type of users in the claim. During a request for access to a resource, ADFS sends this claim to the resource Federation Service in a security token.

When administering an account partner in a resource Federation Service, you perform the following management procedures:

1. Create a claim for your organization.

2. Map an incoming claim (the name of which has been communicated to you by the account Federation Service) to your local organization claim. This claim is used by the Web server to make authorization decisions about the user or users represented by the claim.

The following tasks for managing claims are described in this objective.

• Exposing Account Store Attributes as Claims

• Mapping Claims as Part of Application Authorization

• Creating, Deleting, and Configuring Claims

See Also

Other Resources

Understanding Claims