- the name of an identity provider; and
- a unique naming claim identifying objects within that identity provider’s namespace.
An example would be Microsoft Account (MSA) as an identity provider and ‘john@hotmail.com’ as a unique name (called a ‘key’) inside the MSA’s namespace. Although its actual encoding would be different, one can think of it as being:
{
"identityProvider" : "MSA",
"key" : "john@hotmail.com"
}
This construct is important because John might, for example, use his email address at Hotmail or Google as his account name at facebook… The AlternativeSecurityIds would then distinguish the various accounts, since in the facebook case the AlternativeSecurityId can be thought of as:
{
"identityProvider" : "facebook",
"key" : "john@hotmail.com"
}
|
InputClaims |
|
TransformationClaimType |
Description |
|
identityProvider |
The identity provider asserting an account name |
|
key |
THe unique account name within the identity provider’s namespace |
|
OutputClaims |
|
TransformationClaimType |
Description |
|
alternativeSecurityId |
The encoded alternativeSecurityId |
|
Example |
This example defines a ClaimsTransformation of the ‘CreateAlternativeSecurityId’ type called ‘CreateALternativeSecurityId’ . The policy schema’s ‘userId’ and ‘identityProvider’ claims are transformed into an encoded AlternativeSecurityId which is returned as alternativeSecurityId claim.
<ClaimsTransformation Id="CreateAlternativeSecurityId" TransformationMethod="CreateAlternativeSecurityId"> <InputClaims> <InputClaim ClaimTypeReferenceId="userId" TransformationClaimType="key" /> <InputClaim ClaimTypeReferenceId="identityProvider" TransformationClaimType="identityProvider" /> </InputClaims> <OutputClaims> <OutputClaim ClaimTypeReferenceId="alternativeSecurityId" TransformationClaimType="alternativeSecurityId" /> </OutputClaims> </ClaimsTransformation>