Review the Role of Claims and Claim Rules in the Identity Provider Organization
Updated: May 8, 2009
Applies To: 'Geneva' Identity Server
Two things determine the role that claims play in an identity provider organization:
- The claims that the identity provider organization issues
- The rules that administrators define to determine how claims that the identity provider issues are processed
Claims issuance
An identity provider issues tokens that contain claims to its users. The claims are built from data in the attribute store or from incoming claims that are in a Kerberos ticket so that users can access Web-based applications in the relying party organization. The following table describes the claim options in the identity provider.
| Claim option | Description |
|---|---|
|
Claims |
Claims are used by the “Geneva” server—in this case, the identity provider “Geneva” server. Claims that pass through a “Geneva” server are mapped into and out of the claim set. These claims are then transformed, or mapped, into outgoing claims. This is the core set of claims that the organization uses for mapping. |
|
Outgoing claim mappings |
Outgoing claim mappings map claims to outgoing claims. The claim names that you configure here are determined by an agreement with your relying party on a common namespace. |
|
Outgoing claims |
Outgoing claims are included in the security token of a user. They identity provider generates them, and they are sent to the relying party. Claims on the “Geneva” server of the identity provider are mapped to outgoing claims that are then sent to the relying party “Geneva” server. |
Claims issuance rules
Administrators in an identity provider organization can define how outgoing claims are issued for each relying party organization by specifying claim issuance rules in the "Geneva" Server Management snap-in. The following table describes the claim rules options that are available to an identity provider administrator.
| Claims rule option | Description |
|---|---|
|
Create claims from LDAP Attribute Store |
Maps specific Lightweight Directory Access Protocol (LDAP) attributes from an attribute store that you define to a set of outgoing claims that can be used for authorization. If the users to be queried are from an identity provider, you may have to use a custom LDAP query filter. For more information about how to define this rule, see Create an LDAP Attribute Store Claim Rule. |
|
Create PPID Claim |
Issues a private personal identifier (PPID) claim for the user that is specific to the relying party. Using a PPID prevents the relying party from knowing an identifier that may be shared with other relying parties. For more information about how to define this rule, see Create a PPID Claim Rule. |
|
Advanced |
Used with the claim rule language syntax to enumerate, add, delete, or modify claims to meet the needs of your organization. You can build advanced rules by using the claim language syntax in the "Geneva" Server Rules Editor. For more information about how to define this rule, see Create an Advanced Claim Rule. |
