{"id":1483,"date":"2015-01-31T12:13:04","date_gmt":"2015-01-31T18:13:04","guid":{"rendered":"https:\/\/www.identityblog.com\/?page_id=1483"},"modified":"2015-01-31T12:31:54","modified_gmt":"2015-01-31T18:31:54","slug":"createalternativesecurityid-transformation","status":"publish","type":"page","link":"https:\/\/www.identityblog.com\/?page_id=1483","title":{"rendered":"CreateAlternativeSecurityId Transformation"},"content":{"rendered":"
A CreateAlternativeSecurityId transformation is used to create an ‘AlternativeSecurityId’ – a two-part identifier widely used in AAD\u00a0and consisting of:<\/div>\n
    \n
  1. the name of an identity provider; and<\/li>\n
  2. a unique naming claim\u00a0identifying objects\u00a0within that\u00a0identity provider’s namespace.<\/li>\n<\/ol>\n

    An example would be Microsoft Account (MSA) as an identity provider and ‘john@hotmail.com’ as a unique name (called a ‘key’) inside the MSA’s namespace.\u00a0 Although its actual encoding\u00a0would be\u00a0different, one can think of it as being:
    \n
    \n{
    \n\"identityProvider\" : \"MSA\",
    \n\"key\" : \"john@hotmail.com\"
    \n}
    \n<\/code>
    \nThis construct is important because John might, for example, use\u00a0his email address\u00a0at Hotmail or Google as his account name at\u00a0facebook…\u00a0 The AlternativeSecurityIds would then distinguish the various accounts, since in the facebook case the AlternativeSecurityId can be thought of as:
    \n
    \n{
    \n\"identityProvider\" : \"facebook\",
    \n\"key\" : \"john@hotmail.com\"
    \n}
    \n<\/code><\/p>\n

    \n\n\n<\/colgroup>\n\n\n
    \n

    InputClaims<\/strong><\/span><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n

    \n\n\n\n<\/colgroup>\n\n\n\n\n
    \n

    TransformationClaimType<\/em><\/span><\/p>\n<\/td>\n

    		Description<\/em><\/span><\/td>\n<\/tr>\n
    \n

    identityProvider<\/em><\/span><\/p>\n<\/td>\n

    		The identity provider asserting an account name<\/td>\n<\/tr>\n
    \n

    key<\/em><\/span><\/p>\n<\/td>\n

    		THe unique account name within the identity provider’s namespace<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
    \n\n\n<\/colgroup>\n\n\n
    \n

    OutputClaims<\/strong><\/span><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n

    \n\n\n\n<\/colgroup>\n\n\n\n
    \n

    TransformationClaimType<\/em><\/span><\/p>\n<\/td>\n

    		Description<\/em><\/span><\/td>\n<\/tr>\n
    \n

    alternativeSecurityId<\/em><\/span><\/p>\n<\/td>\n

    		The encoded alternativeSecurityId<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
    \n\n\n<\/colgroup>\n\n\n
    \n

    Example<\/strong><\/span><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n

    \n

    This example defines a ClaimsTransformation of the ‘CreateAlternativeSecurityId’ type called ‘CreateALternativeSecurityId’ .\u00a0The policy schema’s ‘userId’ and ‘identityProvider’ claims are transformed into an encoded AlternativeSecurityId which is returned as alternativeSecurityId claim.<\/p>\n<\/div>\n

    <\/p>\n

          \r\n<<\/span>ClaimsTransformation<\/span> Id<\/span>=\"CreateAlternativeSecurityId\"<\/span> TransformationMethod<\/span>=\"CreateAlternativeSecurityId\"<\/span>><\/span>\r\n        <<\/span>InputClaims<\/span>><\/span>\r\n          <<\/span>InputClaim<\/span> ClaimTypeReferenceId<\/span>=\"userId\"<\/span> TransformationClaimType<\/span>=\"key\"<\/span> \/><\/span>\r\n          <<\/span>InputClaim<\/span> ClaimTypeReferenceId<\/span>=\"identityProvider\"<\/span> TransformationClaimType<\/span>=\"identityProvider\"<\/span> \/><\/span>\r\n        <\/<\/span>InputClaims<\/span>><\/span>\r\n        <<\/span>OutputClaims<\/span>><\/span>\r\n          <<\/span>OutputClaim<\/span> ClaimTypeReferenceId<\/span>=\"alternativeSecurityId\"<\/span> TransformationClaimType<\/span>=\"alternativeSecurityId\"<\/span> \/><\/span>\r\n        <\/<\/span>OutputClaims<\/span>><\/span>\r\n      <\/<\/span>ClaimsTransformation<\/span>><\/span>\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"
    A CreateAlternativeSecurityId transformation is used to create an ‘AlternativeSecurityId’ – a two-part identifier widely used in AAD\u00a0and consisting of: the name of an identity provider; and a unique naming claim\u00a0identifying objects\u00a0within that\u00a0identity provider’s namespace. An example would be Microsoft Account (MSA) as an identity provider and ‘john@hotmail.com’ as a unique name (called a ‘key’) inside … Continue reading CreateAlternativeSecurityId Transformation<\/span><\/a><\/p>\n","protected":false},"author":68,"featured_media":0,"parent":1453,"menu_order":0,"comment_status":"open","ping_status":"closed","template":"","meta":[],"_links":{"self":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/pages\/1483"}],"collection":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/users\/68"}],"replies":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1483"}],"version-history":[{"count":4,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/pages\/1483\/revisions"}],"predecessor-version":[{"id":1488,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/pages\/1483\/revisions\/1488"}],"up":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/pages\/1453"}],"wp:attachment":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1483"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}