Create a Rule to Transform an Incoming Claim
Updated: February 24, 2012
Applies To: Windows Server 2012
Using the Transform an Incoming Claim rule template in Active Directory Federation Services (AD FS), you can select an incoming claim, change its claim type, and change its claim value. For example, you can use this rule template to create a rule that will send a role claim with the same claim value of an incoming group claim. You can also use this rule to send a group claim with a claim value of Purchasers when there is an incoming group claim with a value of Admins, or you can send only User Principal Name (UPN) claims that end with @fabrikam.
You can use the following procedure to create a claim rule with the AD FS Management snap-in.
Membership in Administrators, or equivalent, on the local computer is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).
To create a rule to transform an incoming claim
On the Start screen, type AD FS Management, and then press ENTER.
In the console tree, under AD FS\Trust Relationships, click either Claims Provider Trusts or Relying Party Trusts, and then click a specific trust in the list where you want to create this rule.
Right-click the selected trust, and then click Edit Claim Rules.
In the Edit Claim Rules dialog box, select one the following tabs, depending on the trust that you are editing and which rule set you want to create this rule in, and then click Add Rule to start the rule wizard that is associated with that rule set:
Acceptance Transform Rules
Issuance Transform Rules
Issuance Authorization Rules
Delegation Authorization Rules
On the Select Rule Template page, under Claim rule template, select Transform an Incoming Claim from the list, and then click Next.
On the Configure Rule page under Claim rule name type the display name for this rule, in Incoming claim type select a claim type in the list, in Outgoing claim type select a claim type in the list, and then select one of the following options, depending on the needs of your organization:
Pass through all claim values
Replace an incoming claim value with a different outgoing claim value
Replace incoming e-mail suffix claims with a new e-mail suffix
If you are setting up the Dynamic Access Control scenario that uses AD DS-issued claims, first create a transform rule on the claims provider trust and in Incoming claim type, type the name for the incoming claim or if a claim description was previously created select it from the list. Second, in Outgoing claim type, select the desired claim URL, and then create a transform rule on the relying party trust to issue the device claim.
In the Edit Claim Rules dialog box, click OK to save the rule.