Create a Rule to Send an Authentication Method Claim

You can use either the Send Group Membership as Claims rule template or the Transform an Incoming Claim rule template to send an authentication method claim. The relying party can use an authentication method claim to determine the logon mechanism that the user uses to authenticate and obtain claims from Active Directory Federation Services (AD FS). You can also use the Authentication Mechanism Assurance feature of Active Directory Federation Services (AD FS) in Windows Server 2012 R2 as input to generate authentication method claims for situations in which the relying party wants to determine the level of access that is based on smart card logons. For example, a developer can assign different levels of access to federated users of the relying party application. The levels of access are based on whether the users log on with their user name and password credentials, as opposed to their smart cards.

Depending on the requirements of your organization, use one of the following procedures:

  • Create this rule by using the Send Group Membership as Claims rule template - You can use this rule template when you want the group that you specify in this template to ultimately determine what authentication method claim to issue.

  • Create this rule by using the Transform an Incoming Claim rule template - You can use this rule template when you want to change the existing authentication method to a new authentication method that works with a product that does not recognize standard AD FS authentication method claims.

To create by using the Send Group Membership as Claims rule template on a Relying Party Trust in Windows Server 2016

  1. In Server Manager, click Tools, and then select AD FS Management.

  2. In the console tree, under AD FS, click Relying Party Trusts. Screenshot that shows where to select Relying Party Trusts in the console tree when you create a rule by using the Send Group Membership as Claims rule template.

  3. Right-click the selected trust, and then click Edit Claim Issuance Policy. Screenshot that shows where to select the Edit Claim Issuance Policy menu option when you create a rule by using the Send Group Membership as Claims rule template.

  4. In the Edit Claim Issuance Policy dialog box, under Issuance Transform Rules click Add Rule to start the rule wizard. Screenshot that shows how to add a rule when you create a rule by using the Send Group Membership as Claims rule template.

  5. On the Select Rule Template page, under Claim rule template, select Send Group Membership as Claim from the list, and then click Next. Screenshot that shows where to select the Send Group Membership as Claim template.

  6. On the Configure Rule page, type a claim rule name.

  7. Click Browse, select the group whose members should receive this authentication method claim, and then click OK.

  8. In Outgoing claim type, select Authentication method in the list.

  9. In Outgoing claim value, type one of the default uniform resource identifier (URI) values in the following table, depending on your preferred authentication method, click Finish, and then click OK to save the rule.

Actual Authentication method Corresponding URI
User name and password authentication https://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password
Windows authentication https://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/windows
Transport Layer Security (TLS) Mutual authentication that uses X.509 certificates https://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/tlsclient
X.509-based authentication that does not use TLS https://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/x509

Screenshot that shows where to select Finish when you create a rule by using the Send Group Membership as Claims rule template in Windows Server 2016.

To create by using the Send Group Membership as Claims rule template on a Claims Provider Trust in Windows Server 2016

  1. In Server Manager, click Tools, and then select AD FS Management.

  2. In the console tree, under AD FS, click Claims Provider Trusts. Screenshot that shows where to select Claims Provider Trusts when you create a rule by using the Send Group Membership as Claims rule template in Windows Server 2016.

  3. Right-click the selected trust, and then click Edit Claim Rules. Screenshot that shows where to select Edit Claim Rules when you create a rule by using the Send Group Membership as Claims rule template in Windows Server 2016.

  4. In the Edit Claim Rules dialog box, under Acceptance Transform Rules click Add Rule to start the rule wizard. Screenshot that shows where to select the Add Rule button when you create a rule by using the Send Group Membership as Claims rule template in Windows Server 2016.

  5. On the Select Rule Template page, under Claim rule template, select Send Group Membership as Claim from the list, and then click Next. Screenshot that shows where to select the Send Group Membership as Claim template when you create a rule in Windows Server 2016.

  6. On the Configure Rule page, type a claim rule name.

  7. Click Browse, select the group whose members should receive this authentication method claim, and then click OK.

  8. In Outgoing claim type, select Authentication method in the list.

  9. In Outgoing claim value, type one of the default uniform resource identifier (URI) values in the following table, depending on your preferred authentication method, click Finish, and then click OK to save the rule.

Actual Authentication method Corresponding URI
User name and password authentication https://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password
Windows authentication https://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/windows
Transport Layer Security (TLS) Mutual authentication that uses X.509 certificates https://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/tlsclient
X.509-based authentication that does not use TLS https://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/x509

Screenshot that shows where to select Finish when you create a rule by using the Send Group Membership as Claims rule template in Windows Server 2016.

To create this rule by using the transform an incoming claim rule template on a Relying Party Trust in Windows Server 2016

  1. In Server Manager, click Tools, and then select AD FS Management.

  2. In the console tree, under AD FS, click Relying Party Trusts. Screenshot that shows where to select Relying Party Trusts in the console tree when you create a rule by using the transform an incoming claim rule template.

  3. Right-click the selected trust, and then click Edit Claim Issuance Policy. Screenshot that shows where to select Edit Claim Issuance Policy when you create a rule by using the transform an incoming claim rule template.

  4. In the Edit Claim Issuance Policy dialog box, under Issuance Transform Rules click Add Rule to start the rule wizard. Screenshot that shows where to select Add Rule when you create a rule by using the transform an incoming claim rule template.

  5. On the Select Rule Template page, under Claim rule template, select Transform an Incoming Claim from the list, and then click Next. Screenshot that shows where to select the Transform an Incoming Claim template when you create a rule.

  6. On the Configure Rule page, type a claim rule name.

  7. In Incoming claim type, select Authentication method in the list.

  8. In Outgoing claim type, select Authentication method in the list.

  9. Select Replace an incoming claim value with a different outgoing claim value, and then do the following:

    1. In Incoming claim value, type one of the following URI values that are based on the actual authentication method URI that was used originally, click Finish, and then click OK to save the rule.

    2. In Outgoing claim value, type one of the default URI values in the following table, which depends on your new preferred authentication method choice, click Finish, and then click OK to save the rule.

Actual authentication method Corresponding URI
User name and password authentication https://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password
Windows authentication https://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/windows
TLS mutual authentication that uses X.509 certificates https://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/tlsclient
X.509-based authentication that does not use TLS https://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/x509

Screenshot that shows where to select Finish when you create a rule by using the transform an incoming claim rule template.

Note

Other URI values can be used in addition to the values in the table. The URI values that are shown ion the previous table reflect the URIs that the relying party accepts by default.

To create this rule by using the transform an incoming claim rule template on a Claims Provider Trust in Windows Server 2016

  1. In Server Manager, click Tools, and then select AD FS Management.

  2. In the console tree, under AD FS, click Claims Provider Trusts. Screenshot that shows where to select Claims Provider Trusts in the console tree when you create a rule by using the transform an incoming claim rule template in Windows Server 2016.

  3. Right-click the selected trust, and then click Edit Claim Rules. Screenshot that shows where to select Edit Claim Rules when you create a rule by using the transform an incoming claim rule template in Windows Server 2016.

  4. In the Edit Claim Rules dialog box, under Acceptance Transform Rules click Add Rule to start the rule wizard. Screenshot that shows where to select Add Rule when you create a rule by using the transform an incoming claim rule template in Windows Server 2016.

  5. On the Select Rule Template page, under Claim rule template, select Transform an Incoming Claim from the list, and then click Next. Screenshot that shows where to select the Transform an Incoming Claim template when you create a rule in Windows Server 2016.

  6. On the Configure Rule page, type a claim rule name.

  7. In Incoming claim type, select Authentication method in the list.

  8. In Outgoing claim type, select Authentication method in the list.

  9. Select Replace an incoming claim value with a different outgoing claim value, and then do the following:

    1. In Incoming claim value, type one of the following URI values that are based on the actual authentication method URI that was used originally, click Finish, and then click OK to save the rule.

    2. In Outgoing claim value, type one of the default URI values in the following table, which depends on your new preferred authentication method choice, click Finish, and then click OK to save the rule.

Actual authentication method Corresponding URI
User name and password authentication https://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password
Windows authentication https://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/windows
TLS mutual authentication that uses X.509 certificates https://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/tlsclient
X.509-based authentication that does not use TLS https://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/x509

Screenshot that shows where to select Finish when you create a rule by using the transform an incoming claim rule template in Windows Server 2016.

To create this rule by using the Send Group Membership as Claims rule template in Windows Server 2012 R2

  1. In Server Manager, click Tools, and then select AD FS Management.

  2. In the console tree, under AD FS\Trust Relationships, click either Claims Provider Trusts or Relying Party Trusts, and then click a specific trust in the list where you want to create this rule.

  3. Right-click the selected trust, and then click Edit Claim Rules. Screenshot that shows where to select Edit Claim Rules when you create a rule by using the Send Group Membership as Claims rule template.

  4. In the Edit Claim Rules dialog box, select one the following tabs, depending on the trust that you are editing and which rule set you want to create this rule in, and then click Add Rule to start the rule wizard that is associated with that rule set:

    • Acceptance Transform Rules

    • Issuance Transform Rules

    • Issuance Authorization Rules

    • Delegation Authorization Rules Screenshot that shows where to select Add Rule when you create a rule by using the Send Group Membership as Claims rule template.

  5. On the Select Rule Template page, under Claim rule template, select Send Group Membership as a Claim from the list, and then click Next. Screenshot that shows where to select the Send Group Membership as a Claim template when you create a rule.

  6. On the Configure Rule page, type a claim rule name.

  7. Click Browse, select the group whose members should receive this authentication method claim, and then click OK.

  8. In Outgoing claim type, select Authentication method in the list.

  9. In Outgoing claim value, type one of the default uniform resource identifier (URI) values in the following table, depending on your preferred authentication method, click Finish, and then click OK to save the rule.

Actual Authentication Method Corresponding URI
User name and password authentication https://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password
Windows authentication https://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/windows
Transport Layer Security (TLS) Mutual authentication that uses X.509 certificates https://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/tlsclient
X.509-based authentication that does not use TLS https://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/x509

Screenshot that shows where to select Finish when you create a rule by using the Send Group Membership as Claims rule template.

Note

Other URI values can be used in addition to the values in the table. The URI values that are shown in the previous table reflect the URIs that the relying party accepts by default.

To create this rule by using the Transform an Incoming Claim rule template in Windows Server 2012 R2

  1. In Server Manager, click Tools, and then click AD FS Management.

  2. In the console tree, under AD FS\Trust Relationships, click either Claims Provider Trusts or Relying Party Trusts, and then click a specific trust in the list where you want to create this rule.

  3. Right-click the selected trust, and then click Edit Claim Rules. Screenshot that shows where to select Edit Claim Rules when you create a rule by using the Transform an Incoming Claim rule template in Windows Server 2012 R2.

  4. In the Edit Claim Rules dialog box, select one the following tabs, which depends on the trust that you are editing and in which rule set you want to create this rule, and then click Add Rule to start the rule wizard that is associated with that rule set:

    • Acceptance Transform Rules

    • Issuance Transform Rules

    • Issuance Authorization Rules

    • Delegation Authorization Rules Screenshot that shows where to select Add Rule when you create a rule by using the Transform an Incoming Claim rule template in Windows Server 2012 R2.

  5. On the Select Rule Template page, under Claim rule template, select Transform an Incoming Claim from the list, and then click Next. Screenshot that shows where to select the Transform an Incoming Claim template when you create a rule in Windows Server 2012 R2.

  6. On the Configure Rule page, type a claim rule name.

  7. In Incoming claim type, select Authentication method in the list.

  8. In Outgoing claim type, select Authentication method in the list.

  9. Select Replace an incoming claim value with a different outgoing claim value, and then do the following:

    1. In Incoming claim value, type one of the following URI values that are based on the actual authentication method URI that was used originally, click Finish, and then click OK to save the rule.

    2. In Outgoing claim value, type one of the default URI values in the following table, which depends on your new preferred authentication method choice, click Finish, and then click OK to save the rule.

Actual authentication method Corresponding URI
User name and password authentication https://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password
Windows authentication https://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/windows
TLS mutual authentication that uses X.509 certificates https://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/tlsclient
X.509-based authentication that does not use TLS https://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/x509

create rule

Note

Other URI values can be used in addition to the values in the table. The URI values that are shown ion the previous table reflect the URIs that the relying party accepts by default.

Additional references

Configure Claim Rules

Checklist: Creating Claim Rules for a Relying Party Trust

Checklist: Creating Claim Rules for a Claims Provider Trust

When to Use an Authorization Claim Rule

The Role of Claims

The Role of Claim Rules