The claims module supports the creation of two types of claims: discrete and free. A discrete claim is a multi- or single-select field with predefined options, whereas a free claim is just a free text field. Use the “New” button to select the type of claim that you want to create
Below is the form for the discrete claim:
The different options on the above form are described below.
Claim type: This is the type of statement in the claim that is made. Examples of claim types include First Name and Role. The claim type provides context for the claim value and is usually expressed as a Uniform Resource Identifier (URI).
Friendly name: This is a user-friendly name for the claim type. This field supports localization.
Variable name: In order to use claims in regular expressions (for conditions in Claim Transformations) they will need to be given variable names. These names can only consist of characters A to z and digits 0 to 9.
User can edit field in My Profile: When enabled, this claim will appear on the My Profile page for all users, so that they themselves can update the value.
Restrict view and editing by sub-organizations: Activate this feature if you do not want to allow users from child organizations to view or edit values for this claim type. The result will be that users from such organizations will not see this claim type when they view user forms.
Restrict Elevation (only for discrete claims): If you want to avoid that users, who have access to either the user list or the My Profile page, are able to grant access to options, that they themselves do not have selected for their account, then you should enable this option. It is recommended that you enable restricting elevation for discrete claims that are used for role and security purposes, because it makes little sense that a user is given a certain set of permissions but later can just change these through his access to the user list.
Show claim type as column in user list: When enabled, this claim type will appear as a column in the user list. It is a good idea to add claims as columns that help identify users, for example email or phone.
Sensitive claim: If there are claims that hold particularly sensitive information, that you do not want to keep track of in the systems audit log, you can tag them as “Sensitive”. On such sensitive claim you will thus ensure that the values issued over time will not be traceable.
Number of options user can select (only for discrete claims): This basically makes it possible to define whether the claim is single or multi select. Single select means that users can only set one value for the claim. This would make sense if the claim holds information on, for example, country of birth. If the claim holds information of roles, where users can typically have more of these, then this setting should be set to “Multiple”.
Avoid issuing claims: If you want to make certain that values for this claim are never issued to RPs/IdPs in connection with token requests then check this checkbox. An alternative is to make sure that the claim is always stopped on the regular claim pipelines, but if you are certain it should never be issued, using this setting is a lot easier. A reason to restrict is typically for claims that are only used for internal purpose, e.g. the Device Activation Code.
Owner Organization: This is the organization that the claim is added to. Only users from this organization or its parents will be able to edit or delete the claim.
Options: This section holds the different options that can be selected for the claim. It is necessary to specify at least one option in order to save a discrete claim. Use the “Add” button to add more options to the list. Options that are already in use in the system will not be allowed to be deleted (illustrated by the fact that no “Remove” button will appears next to the “Edit” button).
Import of Claims
The claims module also supports importing claims from XML file using the menu Tools>Import Predefined Claim Type or Upload & Import Custom Claim Type Definitions.
Import Predefined Claim Types: Claims of some popular domains, e.g. OIOSAML and WAYF. These claim types exist by default with the system, so simply choose the appropriate set and the claims will be created in the list.
Upload & Import Custom Claim Type Definitions: User custom claims which are created by the user. For the Custom Claim Type file, the user has to select the file to import. The XML file must follow the following structure.
When importing claims of either predefined or custom types, the user has to select how these claims will be set up. The following dialog will be shown:
To understand more on these options, simply read the section on Claim Form
Claims set list
The claims set module supports ‘Claim Sets’, which is basically just a way to tie together a number of claims. Use the ‘New’ button to select the type of claim that you want to create
This opens the claims set form.
The settings that exist for a claims set are:
Name:Give the claims set object a name that will make it easy to recognize when adding to the Consent claims sets on the Protocol connections.
Required:When a claims set is required and used for consent, then the user must consent to the claim set before he can continue logging in.
Headline:Give the claims set a headline that will make it easy to recognize when viewing it on the ‘My Consent’ or ‘Consent’ page. This field supports localization.
Description:Give the claim set a description that will make it easy to for users to understand that information they are accepting may be shared with Safewhere*Identify. This field supports localization.
Owner Organization: Identify the organization that the claims set is added to. Only users from this organization or its parents will be able to edit or delete the claims set.
Select claims for the claims set: Select the claims that belong to the claims set.
There are no restrictions on adding/removing claims and also no restrictions on not having added any claims to a claims set. The only validation that takes place is validating that the claim set name must be unique and that headline and description are not null.