Compartir a través de


Configure a Claims Transform Module

Applies To: Windows Server 2008

A claims transform module is custom code that manipulates organization, input (incoming), and output (outgoing) claims. Typically, transform modules use the corporate and input claims to produce additional output claims. However, the claim transform module can enumerate, add, delete, and modify claims in any of the claim sets.

Store the claims transform module in %systemdrive%\Windows\ADFS\bin. This location provides the following advantages:

  • ASP.NET keeps a shadow copy of the dynamic-link library (DLL), which allows the DLL to be replaced without stopping the Federation Service, thereby preventing downtime.

  • File security is inherited from the \ADFS\bin directory.

  • The module can be backed up along with all other Active Directory Federation Services (AD FS) files.

After you deploy the transform module to the federation server, perform the following procedure on the account federation server or resource federation server that is configured with the trust policy whose claims transform module you are configuring.

Membership in Administrators, or equivalent, on the local computer is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

To configure a claims transform module

  1. Click Start, point to Administrative Tools, and then click Active Directory Federation Services.

  2. Double-click Federation Service, right-click the Trust Policy node, and then click Properties.

  3. On the Transform Module tab, configure the DLL file and class name for the module as follows:

    1. DLL file: Click Browse to navigate to the DLL that implements the claim transform module, and then click Open.

Note

This DLL must be a managed-code assembly.

2.  **Class name**: Type the namespace-qualified class name that implements the claim transform interface (**IClaimTransform**, which is defined in System.Web.Security.SingleSignOn.ClaimTransforms.dll): The namespace qualified name should be of the format *namespace*.*classname*.  
      
  1. Click OK to save the configuration.