Checklist: Creating Claim Rules for a Relying Party Trust
Applies To: Active Directory Federation Services (AD FS) 2.0
This checklist includes the tasks that are necessary for planning, designing, and deploying claim rules that are associated with a relying party trust in Active Directory Federation Services (AD FS) 2.0.
Note
Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist.
Checklist: Creating a claim rule set for a relying party trust
Task | Reference | |
---|---|---|
Review concepts about claims, claim rules, claim rule sets, and claim rule templates and how they are associated with federated trusts. |
||
Review concepts about how a claim flows through all the stages in the claims issuance pipeline and how rules are processed by the claims issuance engine. |
||
To effectively plan and implement the output claims that will be issued over this relying party trust, determine whether one or more claim rules are needed and which claim rules you should use with this relying party trust. |
||
Review concepts about when to create one claim rule over another and how you can use the claim rule language to provide more complex logic than standard rules in order to provide a desired result in the ideal output claim set. |
When to Use a Pass Through or Filter Claim Rule When to Use a Transform Claim Rule When to Use a Send LDAP Attributes as Claims Rule When to Use a Send Group Membership as a Claim Rule When to Use an Authorization Claim Rule |
|
A claim description must be created if one does not already exist that will fulfill the needs of your organization. AD FS 2.0 ships with a default set of claim descriptions that are exposed in the AD FS 2.0 Management snap-in. |
||
Depending on the needs of your organization, create one or more claim rules for the rule sets that are associated with this relying party trust so that claims will be issued appropriately. |
Create a Rule to Pass Through or Filter an Incoming Claim Create a Rule to Send LDAP Attributes as Claims Create a Rule to Send Group Membership as a Claim Create a Rule to Transform an Incoming Claim Create a Rule to Send an Authentication Method Claim |
|
Depending on the needs of your organization, create one or more claim rules for either the issuance authorization rules set or the delegation authorization rules set that is associated with this relying party trust so that users will be permitted access to the relying party. |
Create a Rule to Permit All Users Create a Rule to Permit or Deny Users Based on an Incoming Claim |