Updated: May 5, 2010
Applies To: Active Directory Federation Services (AD FS) 2.0
You can use Active Directory Federation Services (AD FS) 2.0 to create custom claim rules that determine how claims are processed in a variety of scenarios. Together, these rules make up the claims transformation and authorization rules for the Federation Service. You can create and modify rules separately, depending on whether the Federation Service is acting in either the claims provider role or the relying party role.
The basic format of a rule that is written with the AD FS 2.0 claims language takes the following form:
"If the server receives claim A, issue claim B."
where claim A may be described in terms of its issuer, its type, or its value. Also, when you create rules, you can require more than one claim. Claim B can use incoming claims or an attribute store as a source of values, or it can use explicit values that are specified directly in the rule itself.
Incoming claims can come from claims providers or from user authentications that are performed with Active Directory Domain Services (AD DS). For Active Directory–based user authentications, AD FS 2.0 provides the "name" claim by default, so that it can be used to look up information in the directory.
Also, when you work with claim rules, you can work with rules in predefined ways, for example, by selecting which claim rules to create from prepopulated templates, or you can create your own custom claim rules that you compose directly by using the claim rules language. For more information about how claim rules work, see The Role of Claim Rules (http://go.microsoft.com/fwlink/?LinkId=182453) in the AD FS 2.0 Design Guide.
For more information about how to create claim rules, see Checklist: Creating Claim Rules for a Claims Provider Trust (http://go.microsoft.com/fwlink/?LinkId=182445) or Checklist: Creating Claim Rules for a Relying Party Trust (http://go.microsoft.com/fwlink/?LinkId=182446), depending on the role that your Federation Service will play.
Using Claim Rules for Issuing Claims
Using Claim Rules for Authorization
Sending LDAP Attributes as Claims
Sending Group Membership as a Claim
Transforming an Incoming Claim
Passing Through or Filtering an Incoming Claim
Permitting or Denying Users Based on an Incoming Claim
Permitting All Users
Sending Claims Using a Custom Rule
The Claim Rule Language