The claim type identifier (ID) determines the Common Name (cn) of the claim type object in Active Directory. Normally, Active Roles automatically generates an ID when creating a claim type. The automatically generated ID has the following format:
ad://ext/attributeName:uniqueHexidecimalNumber
In this format, attributeName
stands for the LDAP display name of the claim type’s source attribute and uniqueHexidecimalNumber
is a randomly generated string of hexadecimal characters that ensures the uniqueness of the claim type’s ID.
To enable authorization scenarios where claims are used across a forest trust, you need to create claim types in both the trusted forest and trusting forest with the same claim type ID. Domain controllers in a trusting forest receiving claims from a trusted forest cannot understand these claims unless:
Therefore, when you create a claim type object, you may need to specify the appropriate claim type ID by hand. The option Set ID to a semantically identical claim type in a trusted forest serves this purpose, allowing you to type in an ID instead of having it created automatically. If you choose to enter an ID by hand, ensure that your ID string specifies a unique ID and conforms to the following format:
ad://ext/
prefix
\ * ? " < > |
/
) occurs after the ad://ext/
prefix, then the slash mark must be surrounded by a character on each side. The surrounding character must not be a colon (:
) or slash mark. A valid example of an ID string is ad://ext/BusinessImpact
.
The option Set ID to a semantically identical claim type in a trusted forest is available only when you create a claim type object. The ID should not be changed on existing claim type objects. When you create a claim type object, it is advisable to let an ID be generated automatically unless a business need justifies otherwise, such as the use of claim transformation policies in a multi-forest environment. This ensures that the newly created claim type has a valid, unique ID.
The display name of the claim type object is used to represent the claim type as a choice throughout the user interface. Thus, when you configure a conditional expression for an access rule, the condition builder allows you to select a claim type from a list where each list item is the display name of a certain claim type object. For this reason, each claim type object must be given a unique display name. The display name accepts alphanumeric characters as valid data.
You can use the description of the claim type object to specify a short comment about the claim type. Comments typically include purpose, department usage, or business justification.
You have the option to choose whether claims of the given claim type can be issued for user or computer object class, or both. With the option to issue claims for the user object class, the claim type causes domain controllers to issue user claims based on the attribute of the authenticating user. With the option to issue claims for the computer object class, the claim type causes domain controllers to issue device claims based the attribute of the authenticating user’s computer. You can configure a claim type to issue both user and device claims. When you create a conditional expression for an access rule, and choose the claim type to evaluate, the condition builder allows you to distinguish between user and device claims of the same claim type.
© 2021 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy