Share via

AD FS 2.0: Dynamic Claim Types

  • Article

Dynamic Claim Types

There is data stored about a user in a SQL database (or other attribute store).  The data stored about the user in the database needs to be a part of the claim type and not the value of the claim.

For example, properties “Redmond” and “Building3” stored in a database, in column “property” about the user. 

 

Desired Result using Dynamic Claim Types:

http://contoso.com/Redmond = “Yes”
http://contoso.com/Building3 = “Yes”

Not Desired Result:

http://contoso.com/property = “Redmond”
http://contoso.com/property = “Building3”

 

This can be accomplished using two custom claim rules.  The first will pull the values stored in the database and place them in a variable claim.  The second rule will take those values and use them to dynamically choose the claim types issued.  Below is a sample of these two custom claim rules.

 

Custom Claim Rule 1:


c:[type == "http://contoso.com/name"]
 => add(
         store = "Custom SQL store",
         types = ("variable"),
         query = "SELECT property FROM users WHERE name='{0}'",
         param = c.Value
      );


Assuming there is an incoming “name” claim, query the SQL database for a list of properties about that user, and store those properties into “variable” claim(s). 

Custom Claim Rule 2:


c:[type == "variable"]
 => issue (Type = “http://contoso.com/”+c.Value, Value = “Yes”);

Take the values of each variable claim, and use that to create the dynamic claim with a value of “Yes”.  This takes a static string and appends the value of the claim.