Claims Filter transformation

This transformation works as the inverse of the Exclude Claims transformation and the Exclude Passthrough Claims transformation. Instead of identifying claim types that should not be permitted, it establishes a defined list of claim types that are allowed to pass through. Additionally, it offers more advanced functionality by supporting regular expressions, enabling precise control over the types of values permitted for a given claim type.

claim-filter2.png

claim-filter.png

claim-filter3.png

The Transformation consists of five sections:

Claim Transformation Name: Give the Transformation object a name that will make it easy to recognize when adding to the Pipelines of Authentication and Protocol connections.

Culture: Since expression may be using and comparing numbers, it is important for the system to know what culture is used in order to know whether comma or dot indicates a decimal point. Currently only two cultures are supported, Danish (comma is decimal point) and American (dot is decimal point). These should cover the needs of other cultures in regards to this issue.

Owner Organization: The organization that the Claim Transformation is added to.

Execute before loading claims from local store: By default, a claim transformation rule is executed after claims from local store are loaded for a principal. Check this option to let it execute before the load.

Conditions: It is possible to specify that the Transformation object is only applied to a Pipeline given certain conditions of the token or user is in place, include:

  • The option to skip the Transformation step when the token belongs or does not belong to a user identified as existing in the Safewhere Identify repository.
  • The option to specify that the Transformation object is not applied when token is processed via specific Authentication Connection or Protocol Connection.
  • The option to specify regular expressions that define which tokens are to be exposed to the transformation step. Please see the Using Regular Expressions in Claim Transformation Conditions section to learn more.

Claims type: First, select the claim type to allow. You can either choose one from the Claim Type dropdown or manually enter a custom claim type in the Enter a claim type that does not exist in Identify text field. Next, specify the allowed values. Regular expressions can be used to define the range of acceptable values. Here are some examples of supported formats:

  • An exact match is just stated as is, e.g., "UserAdmin"

  • Matching with anything that starts or ends with a specific word is done using an asterisk:

    • Ends with something specific, e.g., "*Admin"
    • Starts with something specific, e.g., "User*"
    • Has a value anywhere in the string, e.g., "*Ad*"

  • Allow specific positions in a string to be replaced by any character, e.g., "User?dmin".

  • Allow support of numeric comparisons, e.g., < 3; <=3; > 3; >=3; = 3. Also allow support for negative values. For the decimal value, make sure you enter the correct decimal value according to the culture specified in the Claim Transformation.

  • Also you can support more advanced regular expression syntax. Refer to online resources to learn more on using regular expressions.