Claim transformation

If you are a member of the role ClaimTransformation, you will see a main tab called “Claim Transformations.” You can use this to set up claim pipeline transformation rules that can be attached to Authentication Connection and Protocol Connection.


Claim Transformations are steps in the claim pipeline that transform the claim set attached to a token. The way in which this transformation is done depends on the type of Claim Transformation object. When you click the New button, you will see that we offer nine different types. (Notice that “Create Organization” is not a Claim Transformation object. Administering objects in organizations is explained in the Organization Administration article.).


Let us look at each of these Claim Transformation objects in turn.

Claim value transformation

Claim mapping transformation

Exclude Pass-through claims

Exclude Identify claims

Claim filter

SQL transformation

External transformation

LDAP claim transformation

User account update transformation

NameID format transformation

Scripting transformation

"Remove duplicate" transformation

Using regular expressions in Claim transformation objects

To understand the syntax used, please refer to the following page:

The main variable used in expressions will obviously be claim types. In order to use a claim type as a variable, it needs to have a variable name. You will see that claims from version 3.3 have had the possibility of variable names added.


Three global keywords are initialized to use as variable names, namely:

  • identifyname: The Safewhere*Identify Name of a user
  • organization: The organization that the user belongs to
  • group: The group that the user belongs to

To give you a brief about how the regular expressions work, below are some basic condition samples using lucene queries:

Assume Identify is set up with the following claim types:

  • ‘Email Address’ claim type whose variable name is email
  • ‘Year of Birth’ claim type whose variable name is birth year



All tokens meet the condition as described in the following examples will be exposed to the Transformation step:

Syntax Explaination Example
Keyword matching The tokens whose claim type assigned as variable name contains the specific word. email:gmail

=>Value of ’email’ claim type is “gmail”


=>Value of ’email’ claim type is the “” phrase.

Wildcard matching To perform a single-character wildcard search, use the "?" symbol. To perform a multiple-character wildcard search, use the "*" symbol. email:gma?l

=>Value of ’email’ claim type matches with the given word with the single word replaced: gmail, gmael, gmaul...


=>Value of “email” claim type is starting with “gmail”:,


=>Value of ’email’ claim type starting with “g” and ending with “mail”: gmail, googlemail,...

Proximity matching A claim type whose value contains words are within a specific distance away. To do a proximity search, use the tilde, "~", symbol at the end of a phrase email:”gmailcom”~20

=>Value of ’email’ claim type contains gmail and com words within 20 words of each other.

Range search: A claim type whose value is between a specific range (the lower and upper bound).Range can be inclusive [] or exclusive () of the upper and lower bounds. birthyear:[1900 TO 2000]

=>Value of birthyear claim type must be from 1900 to 2000 inclusive.

birthyear:(1900 TO 2000)

=>Value of birthyear claim type must be from 1900 to 2000 exclusive.

Boolean operators& Grouping Boolean operators allow terms to be combined through logic operators: AND, OR, NOT. Combined with grouping, we can form more complex condition expressions. email:gmail OR email:safewhere

=>Value of ’email’ claim type is either “gmail” OR “safewhere”

email:gmail AND group:admin

=>Value of ’email’ claim type is “gmail” AND group is “admin”

email:gmail AND NOT birthyear:2000

=>Value of ’email’ claim type is “gmail” AND birthday is not “2000”

(email:gmail OR email:safewhere) AND group:admin

=> Value of ’email’ is either “gmail” OR “safewhere” AND group is “admin”

Escaping Special Characters The current list special characters are +-&&||!(){}[]^ " ~*?:\, which is a part of query syntax. In order to escape a special character, use \ before it. email:a\*b

=>Value of ’email’ claim type must be a*b