Identify Policy script

What is a policy script ?

An Identify policy script is a connection-level custom C# script running at a specific time to force a connection to meet some conditions based on the client's IP address and claims before going to the next step.

The next section will show you where and how to use the policy script.

Syntax and built-in functions

The script supports C# 5.0 and .NET Framework 4.5+. We provide a Rules object to store your custom rules. Here are the supported functions:

• Rules.ApplyIPAddressRange(string ipRange)
• Rules.NotApplyIPAddressRange (string ipRange)
• Rules.ApplyExpression(Func<bool, RuleContext> func)
• Rules.ApplyClaimTypes(string claimTypes). You can provide more than one claim types or claim values separated by "," or ";", e.g. Rules.ApplyClaimTypes("claim:type:1,claim:type:2"); This method only return true if the user have all provided claim types.
• Rules.NotApplyClaimTypes(string claimTypes)
• Rules.ApplyClaimValues(string claimValues)
• Rules.NotApplyClaimValues(string claimValues)

The supported IP address range formats are:

• 192.168.0.0/255.255.255.0
• 192.168.0.10 - 192.168.10.20
• 192.168.10.10-20
• fe80::/10
• 192.168.0.0/16

The RuleContext object has the following attributes:

• HttpContext is the current HttpContext object of a logging in request.
• FirstFactorPrincipal is the ClaimsPrincipal returned by the first-factor provider.
• EndpointContext contains internal Identify's data structure and should be used for advanced use cases only.
• TemporaryProtocolContext contains internal Identify's data structure and should be used for advanced use cases only.
• ProtocolConnectionId is GUID of the in-use service provider (aka protocol connection id).
• ProtocolConnectionEntityId is the entity id of the in-use service provider.
• AuthenticationConnectionId is GUID of the in-use identity provider (aka authentication connection id).
• AuthenticationConnectionEntityId is the entity id of the in-use identify provider.
• Multiple rules can be chained together. If all rules are satisfied, the second-factor authentication will be used.

You can use Rules.ApplyExpression(Func<bool> func) to create a custom rule that fits your need. It should return true to indicate that the rule is satisfied, otherwise it should return false.

The order of rules is important. If one rule is not satisfied or returns false, all later rules are ignored.

Where to use policy script

You can use the policy script for:

• MFA (2-factor) authentication
• Authentication requests access policy and Token issuance access policy
• MFA Conditional access