Create a Rule to Pass Through or Filter an Incoming Claim

Using the Pass Through or Filter an Incoming Claim rule template in Active Directory Federation Services (AD FS), you can pass through all incoming claims with a selected claim type. You can also filter the values of incoming claims with a selected claim type. For example, you can use this rule template to create a rule that will send all incoming group claims. You can also use this rule to send only user principal name (UPN) claims that end with @fabrikam.

You can use the following procedure to create a claim rule with the AD FS Management snap-in.

Membership in Administrators, or equivalent, on the local computer is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups.

To create a rule to pass through or filter an incoming claim on a Relying Party Trust in Windows Server 2016

  1. In Server Manager, click Tools, and then select AD FS Management.

  2. In the console tree, under AD FS, click Relying Party Trusts. Screenshot that highlights Relying Party Trusts in the console tree.

  3. Right-click the selected trust, and then click Edit Claim Issuance Policy. Screenshot that highlights the Edit Claim Issuance Policy menu option.

  4. In the Edit Claim Issuance Policy dialog box, under Issuance Transform Rules click Add Rule to start the rule wizard. Screenshot that shows the Issuance Transform Rules tab.

  5. On the Select Rule Template page, under Claim rule template, select Pass Through or Filter an Incoming Claim from the list, and then click Next. Screenshot that shows where to select the Pass Through or Filter an Incoming Claim template.

  6. On the Configure Rule page under Claim rule name type the display name for this rule, in Incoming claim type select a claim type in the list, and then select one of the following options, depending on the needs of your organization:

    • Pass through all claim values

    • Pass through only a specific claim value

    • Pass through only claim values that match a specific email suffix value

    • Pass through only claim values that start with a specific value Screenshot that shows where to select the incoming claim type.

  7. Click the Finish button.

  8. In the Edit Claim Rules dialog box, click OK to save the rule.

To create a rule to pass through or filter an incoming claim on a Claims Provider Trust in Windows Server 2016

  1. In Server Manager, click Tools, and then select AD FS Management.

  2. In the console tree, under AD FS, click Claims Provider Trusts. Screenshot that highlights Claims Provider Trusts in the console tree.

  3. Right-click the selected trust, and then click Edit Claim Rules. Screenshot that highlights the Edit Claim Rules menu option.

  4. In the Edit Claim Rules dialog box, under Acceptance Transform Rules click Add Rule to start the rule wizard. Screenshot that shows the Acceptance Transform Rules tab.

  5. On the Select Rule Template page, under Claim rule template, select Pass Through or Filter an Incoming Claim from the list, and then click Next. Screenshot that shows where to select a rule template.

  6. On the Configure Rule page under Claim rule name type the display name for this rule, in Incoming claim type select a claim type in the list, and then select one of the following options, depending on the needs of your organization:

    • Pass through all claim values

    • Pass through only a specific claim value

    • Pass through only claim values that match a specific email suffix value

    • Pass through only claim values that start with a specific value Screenshot that shows where to ad the claim rule name.

  7. Click the Finish button.

  8. In the Edit Claim Rules dialog box, click OK to save the rule.

To create a rule to pass through or filter an incoming claim in Windows Server 2012 R2

  1. In Server Manager, click Tools, and then select AD FS Management.

  2. In the console tree, under AD FSAD FS\Trust Relationships, click either Claims Provider Trusts or Relying Party Trusts, and then click a specific trust in the list where you want to create this rule.

  3. Right-click the selected trust, and then click Edit Claim Rules. Screenshot that shows where to select Edit Claim Rules.

  4. In the Edit Claim Rules dialog box, select one the following tabs, depending on the trust you are editing and which rule set you want to create this rule in, and then click Add Rule to start the rule wizard that is associated with that rule set:

    • Acceptance Transform Rules

    • Issuance Transform Rules

    • Issuance Authorization Rules

    • Delegation Authorization Rules Screenshot thats shows the Add Rule button.

  5. On the Select Rule Template page, under Claim rule template, select Pass Through or Filter an Incoming Claim from the list, and then click Next. Screenshot that shows the the Choose Rule Type screen.

  6. On the Configure Rule page under Claim rule name type the display name for this rule, in Incoming claim type select a claim type in the list, and then select one of the following options, depending on the needs of your organization:

    • Pass through all claim values

    • Pass through only a specific claim value

    • Pass through only claim values that match a specific email suffix value

    • Pass through only claim values that start with a specific value create rule

  7. Click the Finish button.

  8. In the Edit Claim Rules dialog box, click OK to save the rule.

Additional references

Configure Claim Rules

When to Use a Pass Through or Filter Claim Rule

The Role of Claims

The Role of Claim Rules