Scripting claims transformation
The Scripting claims transformation uses C# as the scripting language to issue claims.
You can use all types that are defined in System.dll, System.Linq.dll, System.Web.dll, System.Core.dll, System.IdentityModel.dll, and System.Xml.dll. In addition, we provide a set of helper methods to help you issue claims more easily.
GetClaim(string claimType): Returns the value of the first claim whose claim type equals to the input claim type. Note: The claim type is case sensitive.
var value = GetClaim("urn:firstname"); string value = GetClaim("urn:firstname");GetNameIdFromIdentityProvider(): Returns the value of a NameID that is returned from an upstream Identity Provider.
var nameIdValue = GetNameIdFromIdentityProvider();GetNameIdFormatFromIdentityProvider(): Returns the format of a NameID that is returned from an upstream Identity Provider.
var nameIdFormat = GetNameIdFormatFromIdentityProvider();GetIdentityType(): Returns the IdentityType attribute that your Service Provider sends to Identify via the AuthnContextRefClass element. The accepted IdentityType values are
https://data.gov.dk/eid/Personorhttps://data.gov.dk/eid/Professional.var identityType = GetIdentityType();GetLevelOfAssurance(): Returns the Level of Assurance value that a login session has after a user finishes logging in.
string loa = GetLevelOfAssurance(); Issue("https://data.gov.dk/concept/core/loa", loa);Exist(string claimType): Checks if there exists a claim whose claim type equals to the input claim type. Note: The claim type is case sensitive.
bool value = Exist("urn:firstname"); var value = Exist("urn:firstname");Match(string claimType, string valuePattern): Checks if there exists a claim whose claim type equals to the input claim type and value matches the input value pattern. Note: The claim type is case sensitive. The pattern must be a valid regular expression.
bool value = Match("urn:firstname", "^Pete"); var value = Match("urn:firstname", "^Pete");Issue(string claimType, string claimValue): Issues a new claim {claim type, claim value}.
Issue("urn:firstname", "Peter");Issue(string claimType, string claimValue, string nameFormat, string friendlyName): Issues a new claim {claim type, claim value} with a specific name format and friendly name.
Issue("urn:firstname", "Peter", "urn:oasis:names:tc:SAML:2.0:attrname-format:basic", "First name");IssueEmptyIfNotExist(string claimType): If the issuing token doesn’t contain any claim whose claim type equals to the input value, issues such a claim with empty value.
IssueEmptyIfNotExist("urn:firstname");IssueBootstrapToken(string claimType): Encodes the bootstrap token from an upstream Identity Provider and issues it as a claim.
IssueBootstrapToken("urn:BootstrapContext:claim");Add(string claimType, string claimValue): Adds a new {claim type, claim value} to the token. The newly added claim will be available for other claim rules to use but will eventually be removed before the token is issued.
Add("urn:firstname", "Peter");AddEmptyIfNotExist(string claimType): If the issuing token doesn’t contain any claim whose claim type equals to the input value, adds such a claim with empty value to the token. The newly added claim will be available for other claim rules to use but will eventually be removed before the token is issued.
AddEmptyIfNotExist("urn:firstname");Remove(string claimType): Removes all claims of the input claim type.
Remove("urn:removeme");Remove(string claimType, string claimValue): Removes all claims that matches the input {claim type, claim value} pair. Note: The claim type is case sensitive while the claim value is not.
Remove("urn:removeme","RemoveX");GuidToBase64(string guid): Converts a GUID to a Base64 string.
if (Exist("dk:gov:saml:attribute:CvrNumberIdentifier") && Exist("dk:gov:saml:attribute:RidNumberIdentifier")) Issue("dk:gov:saml:attribute/UniqueAccountKey", Concat("xri://", GetClaim("dk:gov:saml:attribute:CvrNumberIdentifier"),"/00000000.0/", GuidToBase64(GetClaim("dk:gov:saml:attribute:RidNumberIdentifier"))));ToBase64(string s): Converts a string to a Base64 string.
if (Exist("dk:gov:saml:attribute:CvrNumberIdentifier") && Exist("dk:gov:saml:attribute:RidNumberIdentifier")) Issue("dk:gov:saml:attribute/UniqueAccountKey", Concat("xri://", GetClaim("dk:gov:saml:attribute:CvrNumberIdentifier"), "/00000000.0/", ToBase64(GetClaim("dk:gov:saml:attribute:RidNumberIdentifier"))));Concat(params string[] values): Concatenates many strings to a single string.
string newString = Concat("abc", "xyz"); Issue("urn:fullName", Concat(GetClaim("urn:firstName"), " ", GetClaim("urn:lastName")));IssueNameId(string claimvalue, string format, string spprovidername): Issues a NameID.
- claimvalue: The claim value of a NameID.
- format: The format of a NameID. Use "None/none" to issue a NameID without a format.
- When the input format is
"urn:oasis:names:tc:SAML:2.0:nameid-format:entity", the claim value must be in URI format. - When the input format is
"urn:oasis:names:tc:SAML:2.0:nameid-format:transient", the claim value will be auto-generated with a random GUID value.
- When the input format is
- spprovidername: This property is there for future usage. You can pass an empty string to it for now.
var NameIdvalue = GetClaim("urn:identify:firstname"); IssueNameId(NameIdvalue,"urn:oasis:names:tc:SAML:2.0:nameid-format:transient","");IssueTransientNameId(string claimvalue, string spprovidername): Issues a transient NameID (
urn:oasis:names:tc:SAML:2.0:nameid-format:transient). The claim value is the value of the issuing NameID.- claimvalue: The claim value of a NameID.
- spprovidername: This property is there for future development. You can pass an empty string to it for now.
const string nameIdTemplate = "https://test/model/core/eid/person/uuid/{0}"; IssueTransientNameId(string.Format(nameIdTemplate, Guid.NewGuid().ToString()), "");Tip: Linq methods are supported. You can use Linq syntax to simplify your scripts. For example:
// Get all values of a specific claim when it is supposed to have more than 1 value var values = ClaimsPrincipal.Claims.Where(c => c.Type == claimType).Select(c => c.Value);