Sending Claims Using a Custom Rule
Updated: May 5, 2010
Applies To: Active Directory Federation Services (AD FS) 2.0
Using a custom rule, you can create rules that cannot be created with a standard rule template. Custom rules are written in the Active Directory Federation Services (AD FS) 2.0 claim rule language. Capabilities that require custom rules include the following:
Sending claims from a Structured Query Language (SQL) attribute store
SQL attribute store queries must be typed into a custom rule, and the administrator must specify the claim types that are expected to map to the values that the attribute store returns.
Sending claims from a Lightweight Directory Access Protocol (LDAP) attribute store using a custom LDAP filter
Sending claims from a custom attribute store using a custom LDAP filter
A custom LDAP filter makes it possible for the administrator to search against attributes other than the default attribute samAccountname.
Sending claims from a custom attribute store
Custom attribute stores require custom query strings that must be typed into a custom rule.
Sending claims only when two or more incoming claims are present
For example, "If group=administrators and title=Manager, send claim role=Approver".
Sending claims only when an incoming claim value matches a complex pattern
For example, "If the value of a role claim contains the string manager, send group=managers".
Sending claims with complex changes to an incoming claim value
For example, "If user has a group claim, send claim greeting=’Member of ’ + <group name>".
Creating claims for use only in later rules
Rules that add claims only to the input claim set must be written as custom rules. For more information about the input claim set and output claim set, see Using Claim Rules for Issuing Claims.