GroupToUpnClaimTransform Class
Transforms a GroupClaim to a UpnClaim.
Namespace: System.Web.Security.SingleSignOn
Assembly: System.Web.Security.SingleSignOn (in System.Web.Security.SingleSignOn.dll)
Inheritance Hierarchy
System.Object
System.Web.Security.SingleSignOn.TrustPolicyEntryBase
System.Web.Security.SingleSignOn.GroupToUpnClaimTransform
Syntax
[ComVisibleAttribute(true)]
public class GroupToUpnClaimTransform : TrustPolicyEntryBase
[ComVisibleAttribute(true)]
public ref class GroupToUpnClaimTransform : TrustPolicyEntryBase
[<ComVisibleAttribute(true)>]
type GroupToUpnClaimTransform =
class
inherit TrustPolicyEntryBase
end
<ComVisibleAttribute(True)>
Public Class GroupToUpnClaimTransform
Inherits TrustPolicyEntryBase
Constructors
| Name | Description | |
|---|---|---|
.jpeg "System_CAPS_pubmethod") |
GroupToUpnClaimTransform() | Initializes a new instance of the GroupToUpnClaimTransform class. |
Properties
| Name | Description | |
|---|---|---|
.jpeg "System_CAPS_pubproperty") |
Disabled | Gets or sets whether the trust with this realm is currently active. If this is set, no tokens will be accepted from this partner.(Inherited from TrustPolicyEntryBase.) |
|
Group | Gets or sets the GroupClaim to transform. |
|
Upn | Gets or sets the UpnClaim to use during this transform. |
|
uuid | Gets or sets the universal unique identifier (UUID) for this TrustPolicyEntryBase object.(Inherited from TrustPolicyEntryBase.) |
Methods
| Name | Description | |
|---|---|---|
|
Equals(Object) | (Inherited from Object.) |
.jpeg "System_CAPS_protmethod") |
Finalize() | (Inherited from Object.) |
|
GetHashCode() | (Inherited from Object.) |
|
GetType() | (Inherited from Object.) |
|
MemberwiseClone() | (Inherited from Object.) |
|
ToString() | (Inherited from Object.) |
Remarks
The GroupClaim to UpnClaim transformation is useful in scenarios where the resource realm can assign a UPN to the incoming token. For example, in a Windows NT token application, the AD FS Web Agent needs the UPN to be valid in the domain in order to be able to authenticate the user to the application. The account realm may not have included a UPN in the token OR the incoming UPN is invalid in this domain. In such cases, it is extremely useful to map an incoming group claim to a valid UPN in the resource realm. This eliminates the need to create shadow accounts for every possible UPN the account realm chooses to send.
Multiple GroupClaim to UpnClaim transforms can be defined for a particular account partner. In this case, they are applied in the order they are defined in the GroupToUpnClaimTransformCollection until a valid UPN is generated. For example, the GroupToUpnClaimTransformCollection contains the following:
Admins -> admins@resource.com
Users -> users@resource.com
Guests -> guests@resource.com
The incoming token is:
(contains) Group claim: Users
(may or may not contain) Group claim: Guests
The result of the transformation is:
UPN: users@resource.com
Note
If the incoming token contains a UPN, and it also contains a group for which a Group to UPN transform is defined, the UPN generated from the GroupToUpnClaimTransform prevails. The incoming UPN is overwritten by the newly generated one.
Thread Safety
Any public static ( Shared in Visual Basic) members of this type are thread safe. Any instance members are not guaranteed to be thread safe.
See Also
System.Web.Security.SingleSignOn Namespace
Return to top