Claim Administration

Claim list

The claims module supports the creation of two types of claims: discrete and free. A discrete claim is a multi- or single-select field with predefined options, whereas a free claim is just a free text field. Use the New button to select the type of claim that you want to create

Claim form

There are two different views for this form: free claim and discrete claim.

Below is the form for the free claim:

Below is the form for the discrete claim:

The different options on the above form are described below.

Claim type: This is the type of statement made in the claim. Examples of claim types include First Name and Role. The claim type provides context for the claim value and is usually expressed as a Uniform Resource Identifier (URI).

Friendly name: This is a user-friendly name for the claim type. This field supports localization.

Variable name: In order to use claims in regular expressions (for conditions in Claim Transformations) they need to be given variable names. These names can only consist of characters A to z and digits 0 to 9.

User can edit field in My Profile: When enabled, this claim will appear on the My Profile page for all users, allowing them to update the value themselves.

Restrict view and editing by sub-organizations:Activate this feature if you do not want to allow users from child organizations to view or edit values for this claim type. As a result, users from such organizations will not see this claim type when they view user forms.

Restrict Elevation (only for discrete claims): If you want to prevent users who have access to either the user list or the My Profile page from granting access to options they themselves do not have selected for their account, you should enable this option. It is recommended to enable restricting elevation for discrete claims that are used for role and security purposes because it makes little sense for a user to have certain permissions but be able to change them through their access to the user list.

Show claim type as column in user list: When enabled, this claim type will appear as a column in the user list. It is a good idea to add claims as columns that help identify users, such as email or phone.

Sensitive claim: If there are claims that hold particularly sensitive information that you do not want to keep track of in the system's audit log, you can tag them as Sensitive. This ensures that the values issued over time will not be traceable.

Number of options user can select (only for discrete claims): This setting determines whether the claim is single or multi-select. Single select means users can only set one value for the claim. This would make sense if the claim holds information such as the country of birth. If the claim holds information about roles where users can have multiple roles, then this setting should be set to "Multiple."

Avoid issuing claims: If you want to ensure that values for this claim are never issued to RPs/IdPs in connection with token requests, check this checkbox. An alternative is to make sure that the claim is always stopped on the regular claim pipelines, but if you are certain it should never be issued, using this setting is a lot easier. This setting is typically used for claims that are only used for internal purposes, e.g., the Device Activation Code.

Owner Organization: This is the organization to which the claim is added. Only users from this organization or its parents will be able to edit or delete the claim.

Options: This section holds the different options that can be selected for the claim. It is necessary to specify at least one option in order to save a discrete claim. Use the Add button to add more options to the list. Options that are already in use in the system will not be allowed to be deleted (illustrated by the absence of a Remove button next to the Edit button).

Import of claims

The claims module also supports importing claims from a JSON or an XML file. From the Claim list page, you can click on the menu and select Import Claims.

There are two options to import claims:

• Import custom claim type definitions
• Import predefined claim type

Import custom claim type definitions: To import your own claim types, you must select a JSON or an XML file that contains all the claims to import. Below are examples of the content of such a JSON and an XML file.

You can use the Configurator tool to export claims from an existing instance and save them to a JSON file. This file can then be used as a template to import the claims to new instances.

[
  {
    "groupValues": [
      "test 1",
      "test 2",
      "test 3"
    ],
    "avoidUpsize": true,
    "claimType": "dev56:claim 1",
    "accessOrganizationName": "Root",
    "description": null,
    "userEditable": false,
    "friendlyName": "Claim 1",
    "sensitive": false,
    "showAsColumnOnUserList": false,
    "countSpecification": "Multi",
    "variableName": "",
    "restrictedSubOrganizationView": false,
    "avoidIssue": false,
    "publishToSPMetadata": false,
    "publishToIdPMetadata": false,
    "claimValueSpace": "DiscreteClaimValueSpace",
    "activationTimes": [
      {
        "startTime": "0001-01-01T00:00:00Z",
        "endTime": "9999-12-31T16:59:59.9999999Z"
      }
    ],
    "id": "e7ead208-4215-4702-b5ed-a0a7ff3f1c4d",
    "externalId": null,
    "meta": {
      "created": "0001-01-01T00:00:00Z",
      "lastModified": "0001-01-01T00:00:00Z",
      "location": "/admin/api/rest/v2/claimdefinitions/e7ead208-4215-4702-b5ed-a0a7ff3f1c4d",
      "version": null,
      "attributes": null
    },
    "name": "GroupClaimDefinition",
    "endpoint": "/admin/api/rest/v2/claimdefinitions",
    "schema": "urn:scim:schemas:core:2.0:GroupClaimDefinition",
    "schemaExtensions": null,
    "schemaExtensionsDetail": null
  },
  {
    "optionalValues": [
      "1",
      "2",
      "3",
      "4",
      "test"
    ],
    "avoidUpsize": false,
    "claimType": "dev56:dk:gov:saml:attribute:AssuranceLevel",
    "accessOrganizationName": "Root",
    "description": null,
    "userEditable": true,
    "friendlyName": "",
    "sensitive": true,
    "showAsColumnOnUserList": true,
    "countSpecification": "Single",
    "variableName": null,
    "restrictedSubOrganizationView": true,
    "avoidIssue": true,
    "publishToSPMetadata": true,
    "publishToIdPMetadata": true,
    "claimValueSpace": "DiscreteClaimValueSpace",
    "activationTimes": [
      {
        "startTime": "0001-01-01T00:00:00Z",
        "endTime": "9999-12-31T16:59:59.9999999Z"
      }
    ],
    "id": "dedefd9f-0866-49c4-8155-4b49e3fd9749",
    "externalId": null,
    "meta": {
      "created": "0001-01-01T00:00:00Z",
      "lastModified": "0001-01-01T00:00:00Z",
      "location": "/admin/api/rest/v2/claimdefinitions/dedefd9f-0866-49c4-8155-4b49e3fd9749",
      "version": null,
      "attributes": null
    },
    "name": "OptionalClaimDefinition",
    "endpoint": "/admin/api/rest/v2/claimdefinitions",
    "schema": "urn:scim:schemas:core:2.0:OptionalClaimDefinition",
    "schemaExtensions": null,
    "schemaExtensionsDetail": null
  }
]

An example of an XML data source:

<ClaimsSets>
	<ClaimsSet name="CS1" displayName="Claim Set 1" >
		<FreeClaimTypeDefinition claimName="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" friendlyName="User id" />
		<FreeClaimTypeDefinition claimName="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" friendlyName="Email" />
		<DiscreteClaimTypeDefinition claimName="multipleOptions" friendlyName="multipleOptions" selection="multi">
			<option value="Opt1"></option>
			<option value="Otp2"></option>
			<option value="Otp3"></option>
		</DiscreteClaimTypeDefinition>
	</ClaimsSet>
	<ClaimsSet name="CS2" displayName="Claim Set 2" >
		<FreeClaimTypeDefinition claimName="given_name" friendlyName="" />
		<FreeClaimTypeDefinition claimName="family_name" friendlyName="" />
		<FreeClaimTypeDefinition claimName="middle_name" friendlyName="" />	
		<DiscreteClaimTypeDefinition claimName="gender" friendlyName="Gender" selection="single">
			<option value="Male"></option>
			<option value="Female"></option>
		</DiscreteClaimTypeDefinition>
	</ClaimsSet>
</ClaimsSets>

On the Import custom claim type definitions screen, you can choose a JSON or an XML file to import:

If the data source is valid, you can select the claim sets to import:

Import predefined claim type: Claims of some popular profiles, e.g. OIOSAML and WAYF, which are shipped with Identify by default. You can choose which claim collections that you want to import:

When importing claims of either predefined or custom types, you can choose how those claims will be set up:

• Owner organization
• Overwrite claim option
• Action when a claim type already exists

The dialog will be shown with options:

Setup claim options:

• Editable via My Profile
• Restrict view and editing of sub-organizations
• Restrict elevation
• Sensitive claim
• Publish to Identity Provider metadata
• Publish to Service Provider metadata
• Avoid issuing claims

Setup options of claims that already exist in the tenant:

• Do not import
• Prefix claim display name
• Suffix claim display name

To understand more about these options, you can refer to the previous Claim Form section.

Claims set list

The claims set module supports Claim Sets, which is basically just a way to tie together a number of claims. Use the New button to select the type of claim that you want to create.

This opens the claims set form.

The settings that exist for a claims set are:

Name: Give the claims set object a name that will make it easy to recognize when adding to the Consent claims sets on the Protocol connections.

Required: When a claims set is required and used for consent, then the user must consent to the claim set before he can continue logging in.

Headline: Give the claims set a headline that will make it easy to recognize when viewing it on the My Consent or Consent page. This field supports localization.

Description: Give the claim set a description that will make it easy to for users to understand that information they are accepting may be shared with Safewhere Identify. This field supports localization.

Owner Organization: Identify the organization that the claims set is added to. Only users from this organization or its parents will be able to edit or delete the claims set.

Select claims for the claims set: Select the claims that belong to the claims set.

There are no restrictions on adding/removing claims and also no restrictions on not having added any claims to a claims set. The only validation that takes place is validating that the claim set name must be unique and that headline and description are not null.

Uniqueness

The Uniqueness tab allows you to manage constraints that ensures uniqueness of values of a free claim definition at the database layer. Even though Identify has code to check for uniqueness at the application layer, the check does not always work due to race condition issues when multiple requests to change the same resource object come to multiple servers at the same time.

The Uniqueness list shows all free claim definitions and their constraint status:

• Red: specifies that the free claim definition does not have uniqueness constraint.
• Green: specifies that the free claim definition has uniqueness constraint.

You can use the filter functionality on the right pane to filter claim definitions using the uniqueness constraint status or their claim types.

Mouse hover on a free claim definition that has a Red icon to create a uniqueness constraint:

Mouse hover on a free claim definition that has a Green icon to delete a uniqueness constraint: