Claim Filter Transformation


This is basically the opposite of the two “Exclude Passthrough/Safewhere*Identify Claims” transformations because—rather than specify which claim types should not be let through—it lists the finite list of claim types that are allowed to pass through. However, it is smarter in some sense because it also allows the use of regular expressions to specify the types of values to be allowed through for a claim type.

image38

The Transformation consists of five sections:

Claim Transformation Name: Give the Transformation object a name that will make it easy to recognize when adding to the Pipelines of Authentication and Protocol connections.

Culture: Since expression may be using and comparing numbers, it is important for the system to know what culture is used in order to know whether comma or dot indicates a decimal point. Currently only two cultures are supported, Danish (comma is decimal point) and American (dot is decimal point). These should cover the needs of other cultures in regards to this issue.

Owner Organization: The organization that the Claim Transformation is added to.

Execute before loading claims from local store: By default, a claim transformation rule is executed after claims from local store are loaded for a principal. Check this option to let it execute before the load.

Conditions: It is possible to specify that the Transformation object is only applied to a Pipeline given certain conditions of the token or user is in place, include:

Claims and values that will be allowed to pass through: The first step is to select the claim type to be allowed through. This can be either selected from the drop-down of Claim Types that “Exist in Identify” orradio button—manually inserted. The next step is to specify the allowed values. Here, we allow the use of regular expressions to specify the range of allowed values. Below are some examples of the allowed formats:

  • An exact match is just stated as is, e.g., “UserAdmin”
  • Matching with anything that starts or ends with a specific word is done using an asterisk:
    • Ends with something specific, e.g., “*Admin”
    • Starts with something specific, e.g., “User*”
    • Has a value anywhere in the string, e.g., “*Ad*”
  • Allow specific positions in a string to be replaced by any character, e.g., “User?dmin”.
  • Allow support of numeric comparisons, e.g., <3; <=3; >3; >=3; =3. Also allow support for negative values. For the decimal value, make sure you enter the correct decimal value according to the culture specified in the Claim Transformation.
  • Also you can support more advanced regular expression syntax. Refer to online resources to learn more on using regular expressions.