Claim list
The claims module supports the creation of two types of claims: discrete and free. A discrete claim is a multi- or single-select field with predefined options, whereas a free claim is just a free text field. Use the “New” button to select the type of claim that you wish to create
Claim form
There are two different views for this form; that of free claim and that of discrete claim.
Below if the form for free claim:
Below if the form for discrete claim:
The different options on the above form are described below.
Claim Type: The type of statement in the claim that is made. Examples of claim types include First Name and Role. The claim type provides context for the claim value and is usually expressed as a Uniform Resource Identifier (URI).
Friendly Name: A user-friendly name for the claim type. This field supports localization.
Variable Name: In order to use claims in regular expressions (for conditions in Claim Transformations) they will need to be given variable names. These names can only consist of characters A to z and digits 0 to 9.
User can edit field in My Profile: When ticked, this claim will appear on the My Profile page for all users, so that they themselves can update the value.
Restrict view and editing by sub-organizations: Activate this feature if you do not want to allow users from child organizations to view or edit values for this claim type. The result will be that users from such organizations will not see this claim type when they view user forms.
Restrict Elevation (only for discrete claims): If you want to avoid that users, who have access to either the user list or the My Profile page, are able to grant access to options, that they themselves do not have selected for their account, then you should set this option to true. It is recommended that you set discrete claims to true that are used for role and security purposes, since it makes little sense that a user is given a certain set of permission but later can just change these through his access to the user list.
Show claim type as column in user list: When ticked, this claim type will appear as a column in the user list. It is a good idea to add claims as columns that helpSafewhere*Identify users, like e.g. email or phone.
Sensitive claim: If there are claims that hold particularly sensitive information, that you do not wish is kept track of in the systems audit log, you can tag them as “Sensitive”. On such sensitive claim you will thus ensure that the values issued over time will not be traceable.
Number of options that user can select (only for discrete claims): This basically makes it possible to define whether the claim is single or multi select. Single select means that users can only set one value for the claim. This would make sense if the claim holds information on e.g. country of birth. If the claim holds information of roles, where users can typically have more of these, then this setting should be set to “Multiple”.
Avoid issuing claims: If you want to make certain that values for this claim are never issued to RPs/IdPs in connection with token requests then tick this checkbox. An alternative is to make sure that the claim is always stopped on the regular claim pipelines, but if you are certain it should never be issued, using this setting is a lot easier. Reason to restrict is typically for claims that are only used for internal purpose, e.g. the Device Activation Code.
Owner Organization: The organization that the claim is added to. Only users from this organization or its parents will be able to edit or delete the claim.
Options: This section holds the different options that can be selected for the claim. It is necessary to specify at least one option in order to save a discrete claim. Use the “Add” button in order to add more options to the list. Options that are already in use in the system will not be allowed to be deleted (illustrated by the fact that no “Remove” button will appear next to the “Edit” button).
Import of Claims
The claims module also supports importing claims from xml file using menu Tools>Import Predefined Claim Type or Upload & Import Custom Claim Type Definition.
Import Predefined Claim Types: contains claims of some popular domains, e.g. OIOSAML and WAYF. These claim types exist by default with the system, so simply choose the appropriate set and the claims will be created in the list.
Custom Claim Type: user custom claims which are created by user. For the Custom Claim Type file, user has to select the file to import. The xml file must followthe below shown structure.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
<ClaimsSets> <ClaimsSet name="Claim Import Sample set" displayName="Claim Import Sample set" > <FreeClaimTypeDefinition claimName="dk:gov:saml:identify:CprNumberIdentifier" friendlyName="" /> <DiscreteClaimTypeDefinition selection="single" claimName="dk:gov:saml:attribute:identify:single" friendlyName=""> <option value="1" /> <option value="2" /> <option value="3" /> <option value="4" /> </DiscreteClaimTypeDefinition> <DiscreteClaimTypeDefinition selection="multi" claimName="dk:gov:saml:identify:multi" friendlyName=""> <option value="1" /> <option value="2" /> <option value="3" /> <option value="4" /> </DiscreteClaimTypeDefinition> </ClaimsSet> </ClaimsSets> |
When importing claims of either predefined or custom type, the user has to select how these claims will be set up. The following dialog will be shown:
To understand more on these options simply read the chapter on Claim form
Claims set list
The claims set module supports ‘Claim Sets’, which is basically just a way to tie together a number of claims. Use the ‘New’ button to select the type of claim that you wish to create
This will open the claim set form.
The settings that exist for a claim set are:
Name:Give the claim set object a name that will make it easy to recognize when adding to the Consent claims sets on the Protocol connections.
Required:When a claims set is required and used for consent, then the user must consent to the claim set before he can continue logging in.
Headline:Give the claim set a headline that will make it easy to recognize when viewing it on ‘My Consent’ or ‘Consent’ page. This field supports localization.
Description:Give the claim set a description that will make it easy to for users to understand what information they are accepting may be shared with . This field supports localization.
Owner Organization: The organization that the claims set is added to. Only users from this organization or its parents will be able to edit or delete the claim set.
Select claims for the claims set: Select the claims that belong to the claim set.
There are no restrictions on adding/removing claims and also no restrictions on not having added any claims to a claim set. Only validation the claim set name must be unique and that headline and description are not null.