Chat now with support
Chat with Support

Active Roles 8.2 - Feature Guide

Introduction About Active Roles
Main Active Roles features Technical overview of Active Roles
About presentation components Overview of service components About network data sources About security and administration elements About Active Directory security management Customization using ADSI Provider and script policies About dynamic groups About workflows Operation in multi-forest environments
Examples of use
Administrative rules and roles
About Managed Units About Access Templates About Access Rules About rule-based autoprovisioning and deprovisioning
Configuring and administering Active Roles Overview of Active Roles Synchronization Service Support for AWS Managed Microsoft AD FIPS compliance LSA protection support STIG compliance

About the claim type identifier setting

The claim type identifier (ID) determines the Common Name (cn) of the claim type object in Active Directory. Normally, Active Roles automatically generates an ID when creating a claim type. The automatically generated ID has the following format:

ad://ext/attributeName:uniqueHexidecimalNumber

In this format, attributeName stands for the LDAP display name of the source attribute of the claim type, while uniqueHexidecimalNumber is a random-generated string of hexadecimal characters that ensures the uniqueness of the claim type ID.

To enable authorization scenarios where claims are used across a forest trust, you need to create claim types in both the trusted forest and trusting forest with the same claim type ID. Domain controllers in a trusting forest receiving claims from a trusted forest cannot understand these claims unless:

  • Each claim has a claim type object created in both forests.

  • The claim type ID in the trusting forest is identical to the claim type ID in the trusted forest.

  • A Claim Transformation Policy Object is applied to allow incoming claims across the forest trust.

Therefore, when you create a claim type object, you may need to specify the appropriate claim type ID by hand. The option Set ID to a semantically identical claim type in a trusted forest serves this purpose, allowing you to type in an ID instead of having it created automatically. If you choose to enter an ID by hand, ensure that your ID string specifies a unique ID and conforms to the following format:

  • Starts with the ad://ext/ prefix.

  • The prefix is followed by 1 to 32 characters.

  • Does not contain space characters or these characters: \ * ? " < > |.

  • If a slash mark (/) occurs after the ad://ext/ prefix, then the slash mark must be surrounded by a character on each side. The surrounding character must not be a colon (:) or slash mark.

A valid example of an ID string is ad://ext/BusinessImpact.

The option Set ID to a semantically identical claim type in a trusted forest is available only when you create a claim type object. The ID should not be changed on existing claim type objects. When you create a claim type object, it is advisable to let an ID be generated automatically unless a business need justifies otherwise, such as the use of claim transformation policies in a multi-forest environment. This ensures that the newly created claim type has a valid, unique ID.

About the display name setting

The display name of the claim type object is used to represent the claim type as a choice throughout the user interface. Thus, when you configure a conditional expression for an access rule, the condition builder allows you to select a claim type from a list where each list item is the display name of a certain claim type object. For this reason, each claim type object must be given a unique display name. The display name accepts alphanumeric characters as valid data.

About the description setting

You can use the description of the claim type object to specify a short comment about the claim type. Comments typically include purpose, department usage, or business justification.

About the user or computer claim issuance setting

You have the option to choose whether claims of the given claim type can be issued for user or computer object class, or both. With the option to issue claims for the user object class, the claim type causes domain controllers (DCs) to issue user claims based on the attribute of the authenticating user. With the option to issue claims for the computer object class, the claim type causes DCs to issue device claims based the attribute of the computer of the authenticating user. You can configure a claim type to issue both user and device claims. When you create a conditional expression for an access rule, and choose the claim type to evaluate, the condition builder allows you to distinguish between user and device claims of the same claim type.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating