This transformation rule is used for updating a user’s attributes in the local Identify user store based on claim type values in the user’s token.
This functionality is useful both in scenarios, where incoming tokens define values that should be added to the user account stored in the Identify store as well as scenarios, where rules in Identify’s claim pipeline change the value of the user’s claims and require this change to be saved to his local account in the process. Besides actually specifying the claim type that should be saved locally, the administrator is also able to specify logic for what happens when a value already exists in the user account that is stored in Safewhere*Identify; for example, the administrator may decide whether to overwrite, extend, or ignore a user’s existing values.
This is basically done by specifying one or more sets of claims and options. The options specify the rule for how the value from a claim type will be saved to the user’s account.
In the claim pipeline, the claims set’s values by the time the “user account update” transformation is executed will be updated to user accounts based on the defined rules of this transformation.
The Transformation consists of five sections.Claim Transformation Name: Give the Transformation object a name that will make it easy to recognize when adding to the Pipelines of Authentication and Protocol connections.
Culture: Since expression may be using and comparing numbers, it is important for the system to know what culture is used in order to know whether comma or dot indicates a decimal point. Currently only two cultures are supported, Danish (comma is decimal point) and American (dot is decimal point). These should cover the needs of other cultures in regards to this issue.
Owner Organization: The organization that the Claim Transformation is added to.
Execute before loading claims from local store: By default, a claim transformation rule is executed after claims from local store are loaded for a principal. Check this option to let it execute before the load.
Conditions: It is possible to specify that the Transformation object is only applied to a Pipeline given certain conditions of the token or user is in place, include:
- The option to skip the Transformation step when the token belongs or does not belong to a user identified as existing in the Safewhere*Identify repository.
- The option to specify that the Transformation object is not applied when token is processed via specific Authentication Connection or Protocol Connection.
- The option to specify regular expressions that define which tokens are to be exposed to the transformation step. Please see the Using Regular Expressions in Claim Transformation Conditions section to learn more.
Claim Mapping: To add a new “claim to update for user,” you must choose both a claim type and an option. The options are <overwrite, extend >. Whenever this Transformation step is reached in the pipeline, the value of the specified claim type will be extracted from the token and saved to the local user store for the same claim type and the user in context. The difference between overwrite and extend is the way it affects discrete claims. When “overwrite” is chosen, it means that any prior value for the user will be removed from the local store and replaced with the value in the token. When “extend” is chosen, any value in the token, which does not yet exist in the local store for the user, will be added to any existing value. For free value claims, the chosen option does not matter and any existing value in the store will just be overwritten with the value of the token’s claim type—if such exists.