A few times in the preceding example, we have discussed claims. But what is exactly a claim, and how is it generated?
A claim is simply a statement about a user that is used for authorization purposes of claim-aware applications. Each claim contains a value about a user such as their UPN, email address, and Common Name (CN).
AD FS supports many different claim types. Claim types are used to show what sort of value will be included in the claim. The following table contains the most commonly used claim types:
|
Claim type |
Description |
|
UPN |
UPN of the user |
|
|
RFC 5322-type email address |
|
Given name |
Given name of the user |
|
CN |
CN value of the user account |
|
Name |
Name of the user |
|
Surname |
Surname of the user |
|
Windows Account Name |
Domain account in domain/user format |
|
Group |
Group the user belongs to |
|
Role |
Role of the user |
|
AD FS 1.x UPN |
UPN of the user when interacting with AD FS 1.x |
|
AD FS 1.x email address |
RFC 5322-type email address of the user when interacting with AD FS 1.x |
Claims retrieve values from the attribute store. The attribute store is a directory or database that contains user accounts and associated attributes. Therefore, AD can also play the role of an attribute store. As an example, in an AD environment, if the claim type is UPN, the claim will retrieve the value through users' attributes.
AD FS also supports many industry standards, which are used to build third-party claim-based solutions. It guarantees the interoperability of many cloud-based or hosted applications in the market today.