Feature Description

After a successful authentication and authorization step, ProAuth is issuing the requested tokens with appropriate claims. The claims which are included in the issued tokens can be customized with the claim rule engine. However, mandatory or sensitive claims (i.e. sub) cannot be modified by the claim rule engine.

The purpose of the claim rule engine is:

  • filter not needed / not wanted claims
  • change a claim’s type or value based on conditions
  • add new claims based on conditions
  • define the claim target (ID Token, Access Token, or both)

Before the tokens are issued, all the claims (ProAuth Claims, Claims from federated identity provider) are processed by the claim rule engine. Only the resulting claims are added to the to be issued tokens.


Claim Rules Association

Claim rules can be defined for different organizational levels, namely Subscription level, Tenant level, Client Application level, and a combination of Client Applications and Idp Instances. So all the claim rules applicable for the current login process are evaluated.

Claim Rules association

Claim Rules pipeline

All the resulting claim rules are grouped by their level, starting at 0. All the groups of the same level are executed in parallel and their results are combined as a level result. If multiple rules return the same claims (same type and value), only a single instance is returned as a level result. If the same claim has different claim targets, the claim targets are combined for this claim in the level results. The output of the preceding level is the input of the succeeding level. The last level result set is used as a basis to issue the tokens.

Claim Rules pipeline

Claim Rule types

There are currently four types of claim rules:

Claim Rule types

  • Filter Claim Rule

    A filter claim rule filters the the claims according to their type or value or a combination of both. Only claims which match the filter criteria will be forwarded to the result set.

    Filter type:

    • Filter claim type by regex
    • Filter claim value by regex
    • Filter claim type by regex and claim value by regex

  • Transform Claim Rule

    A transformation claim rule modifies the type or value or both of a claim and forwards the modified claim to the results.

    • Match Criteria (same as filter, only matched claims are transformed)
      • Match claim type by regex
      • Match claim value by regex
      • Match claim type by regex and claim value by regex
    • Transform
      • Transform claim type by regex and replacement pattern
      • Transform claim value by regex and replacement pattern
      • Transform claim type and claim value by regex and replacement pattern

  • Create Claim Rule

    The create claim rule creates an additional claim to the results.

    • Create Rule
      • Fixed value for type or value
      • Template variables (user properties)

  • Conditional Create Claim Rule

    The conditional create claim rule creates an additional claim if the condition applies. If the condition is true from multiple claims, only a single new claim is created.

    • Match Criteria (same as filter, only if at least one match occurred, the new claim is created)
      • Match claim type by regex
      • Match claim value by regex
      • Match claim type by regex and claim value by regex
    • Create Rule
      • Fixed value for type or value
      • Template variables (user properties)

Key Features

  • Dynamic claim Filtering
  • Dynamic claim definitions
  • Dynamic claim forwarding
  • Apply security and business Logic

Contact

Did we raise your attention or do you have any questions? Contact us today at:

  • +41 44 508 37 00
  • proauth@4tecture.ch