Creating a rule to pass-through or filter an incoming claim

Applies To: Unified Access Gateway

Using the Pass Through or Filter an Incoming Claim rule template in Active Directory Federation Services (AD FS) 2.0, you can pass through all incoming claims with a selected claim type. You can also filter the values of incoming claims with a selected claim type. For example, you can use this rule template to create a rule that will send all incoming group claims. You can also use this rule to send only user principal name (UPN) claims that end with @fabrikam.

For information about claim rules, see The Role of Claim Rules (https://go.microsoft.com/fwlink/?LinkId=200712) and When to Use a Pass Through or Filter Claim Rule (https://go.microsoft.com/fwlink/?LinkId=200713).

Use the following procedure to create the required claim rule with the AD FS 2.0 Management snap-in for use with Forefront Unified Access Gateway (UAG).

Membership in Administrators, or equivalent, on the local computer is the minimum required to complete this procedure.

To create a rule to pass through or filter an incoming claim

  1. Click Start, point to Programs, point to Administrative Tools, and then click AD FS 2.0 Management.

  2. In the console tree, under AD FS 2.0\Trust Relationships, click Relying Party Trusts, and then click the UAG trust in the list.

  3. Right-click the selected trust, and then click Edit Claim Rules.

  4. On the Edit Claim Rules dialog box, click the Issuance Transform Rules tab, and then click Add Rule to start the rule wizard.

  5. On the Select Rule Template page, under Claim rule template, select Pass Through or Filter an Incoming Claim from the list, and then click Next.

  6. Configure the claim rule on the Configure Rule page.

    1. Under Claim rule name type the display name for this rule.

    2. In the Incoming claim type list, select the required claim type, for example Name.

      Important

      You must configure the AD FS 2.0 server to send claims that correspond with the claim types defined for the AD FS 2.0 authentication repository on the Forefront UAG server, for Kerberos constrained delegation, and for application authorization. See Configuring an AD FS 2.0 authentication repository, Configuring single sign-on with Kerberos constrained delegation to non-claims-aware applications, and Configuring claims-based application authorization.

    3. Click Pass through all claim values.

    4. Click Finish.

  7. Repeat steps 4 through 6 to configure all the claim types that the AD FS 2.0 server will send.

  8. On the Edit Claim Rules dialog box, click OK to save the rules.