1
00:00:07,180 --> 00:00:14,590
Ed first claims provide a link between the claims provider and ruling party roles in an idea first deployment.

2
00:00:15,040 --> 00:00:22,810
An Idea First Claim is a statement that a trusted entity such as claims provider makes about a particular

3
00:00:22,810 --> 00:00:23,500
subject.

4
00:00:23,530 --> 00:00:24,070
Such as?

5
00:00:24,400 --> 00:00:25,480
Such as the user.

6
00:00:25,930 --> 00:00:32,020
The claims provider creates the claims and the ruling party consumes the claims.

7
00:00:32,650 --> 00:00:40,780
ADR first claims provide a standards based and flexible way for claims provider organisations to provide

8
00:00:40,780 --> 00:00:45,220
specific information about users in their organisations.

9
00:00:45,850 --> 00:00:55,030
It first claims also provide a way for related parties to define exactly what information they are required

10
00:00:55,030 --> 00:00:56,890
to provide to application access.

11
00:00:57,610 --> 00:01:05,250
The claims information provides the details that applications are required to enable access to claims

12
00:01:05,250 --> 00:01:06,610
surveyor applications.

13
00:01:07,640 --> 00:01:11,330
Now let's talk about claim types issue.

14
00:01:11,330 --> 00:01:16,760
The first claim here, the claim type such as email, address, your band or last name.

15
00:01:17,290 --> 00:01:21,800
Users can be issued claims based on any defined claim type.

16
00:01:22,550 --> 00:01:30,050
Therefore, a user might be issued a claim with a type of last name and a value of verba.

17
00:01:30,500 --> 00:01:35,060
For example, a reference provides many built in claim types.

18
00:01:35,870 --> 00:01:40,970
Optionally, you can create new ones based on organizational requirements.

19
00:01:41,540 --> 00:01:51,020
A uniform resource identifier or you are right identifies each ETA first claim type uniquely.

20
00:01:51,710 --> 00:01:57,140
This information is provided as part of the area for server metadata.

21
00:01:57,560 --> 00:02:05,810
For example, if the claim provider organization and the related party organization decide to use a

22
00:02:05,810 --> 00:02:13,460
claim type of account number, both organizations must configure a claim type release name.

23
00:02:14,090 --> 00:02:22,230
The claim type is published and the claim type you write must be identified on both a first serves.

24
00:02:23,760 --> 00:02:27,480
So it's about population of claimed values.

25
00:02:28,580 --> 00:02:36,560
Claims issued by a claims provider contain the information that the ruling party requires to enable

26
00:02:36,560 --> 00:02:38,540
appropriate application access.

27
00:02:39,320 --> 00:02:47,780
One of the first steps in planning an idea first deployment is to define exactly what information that

28
00:02:47,780 --> 00:02:56,480
that applications that application must have about its user to provide that user access to the application.

29
00:02:57,140 --> 00:03:04,520
After you define this information, the claims are then defined on the Glympse provider for duration

30
00:03:04,520 --> 00:03:13,370
server, the area for server updates information that it needs to populate the claim in several ways,

31
00:03:14,180 --> 00:03:15,470
including that it.

32
00:03:17,200 --> 00:03:22,000
Retrieves the claim from an attribute store frequently.

33
00:03:22,360 --> 00:03:29,110
An attribute store that is available to the for duration server already has information that the claim

34
00:03:29,110 --> 00:03:29,890
requires.

35
00:03:30,490 --> 00:03:38,140
For example, an organization might decide the claim should include the user's European email address

36
00:03:38,140 --> 00:03:40,480
and specific group memberships.

37
00:03:41,180 --> 00:03:49,810
Eight It is stores this information already so the Federation server can retrieve this information from

38
00:03:49,810 --> 00:03:52,960
entities when creating the claim.

39
00:03:54,000 --> 00:03:56,400
However, because they did fails.

40
00:03:56,400 --> 00:04:02,250
Can you say to this idiot I'll do s SQL Server?

41
00:04:02,580 --> 00:04:02,850
No.

42
00:04:02,850 --> 00:04:10,320
Microsoft will dev director or a custom attribute store to apply to to populate claims.

43
00:04:10,860 --> 00:04:15,240
You can define almost any well you within the claim.

44
00:04:16,650 --> 00:04:24,210
Another way of obtaining the information that it needs to publish the claim is calculating the claim

45
00:04:24,210 --> 00:04:26,340
based on the collected information.

46
00:04:26,970 --> 00:04:36,180
Claims provider Federation servers also can calculate information based on data that is generated from

47
00:04:36,180 --> 00:04:37,260
an attribute store.

48
00:04:37,800 --> 00:04:44,670
For example, you might want to provide information about a person's salary within a claim.

49
00:04:45,090 --> 00:04:53,340
This information is likely stored in a human resource database, but the actual well might be considered

50
00:04:53,340 --> 00:04:54,330
confidential.

51
00:04:54,990 --> 00:05:03,990
You can define a claim that categorises salaries within an organisation and then have the ADF a server

52
00:05:04,270 --> 00:05:10,230
calculate which category a specific user belongs in.

53
00:05:10,680 --> 00:05:18,660
In this way, the claim includes only the salary category information, not the user's actual salary.

54
00:05:18,690 --> 00:05:19,290
Well, you.

55
00:05:21,170 --> 00:05:26,030
Next up, it transforms the claims from one well to another.

56
00:05:26,660 --> 00:05:34,100
In some cases, the information that is stored in an attribute store does not exactly match the information

57
00:05:34,100 --> 00:05:36,290
required by the application.

58
00:05:36,560 --> 00:05:43,940
When making authorization information, for example, the application might have different user rules

59
00:05:44,240 --> 00:05:52,130
defined that do not directly match the attributes that are stored in an attribute store.

60
00:05:53,100 --> 00:05:59,760
However, the application rule might correlate to the added elite group membership.

61
00:06:00,270 --> 00:06:08,040
For example, user hosting the sales group might correlate to one application role, whereas users in

62
00:06:08,070 --> 00:06:13,320
the sales management group might correlate to a different application role.

63
00:06:13,950 --> 00:06:17,460
To establish the correlation in the first.

64
00:06:17,760 --> 00:06:27,150
You can configure a claims transformation that takes the value provided by the claims provider and translates

65
00:06:27,570 --> 00:06:33,840
the well into a claim that is used to the application in the ruling party.

66
00:06:34,590 --> 00:06:43,770
And finally, it transforms dynamic access control device claim into the first claim.

67
00:06:45,090 --> 00:06:53,250
If you deploy dynamic access control, this helps to ensure that users can access our media first website

68
00:06:53,250 --> 00:06:59,010
only from trusted workstations that have been issued a well-advised claim.

69
00:07:00,130 --> 00:07:03,100
Know some words about claim rules.

70
00:07:04,000 --> 00:07:09,390
Claim rules define how claims are a third term consumed by ADA.

71
00:07:09,410 --> 00:07:18,250
First Soros claim rules define the business logic that is applied to claims that the claims providers

72
00:07:18,250 --> 00:07:22,390
provide and that the Reliant Parties accept.

73
00:07:23,230 --> 00:07:32,380
You can use claims claim rules to define which uncommon claims are accepted from one or more claims

74
00:07:32,380 --> 00:07:33,100
provider.

75
00:07:33,460 --> 00:07:43,660
Define which outbound claims are provided to one or more reliant parties and apply authorisation rules

76
00:07:43,660 --> 00:07:51,550
to enable access to a specific related party for one or more users or groups of users.

77
00:07:53,200 --> 00:07:55,990
Now you can define two types of claim rules.

78
00:07:56,830 --> 00:08:01,300
Claim rules for claims provider trust claims.

79
00:08:01,300 --> 00:08:10,240
Provider Trust is the first trust relationship that is configured between an NDA for a server and a

80
00:08:10,240 --> 00:08:11,410
glimpse provider.

81
00:08:11,800 --> 00:08:19,330
You can configure claim rules to define how the claims provider processes and issues claims.

82
00:08:20,020 --> 00:08:30,310
And another type of claim rule is claim rules for relying party trust and rely on power to trust you.

83
00:08:30,340 --> 00:08:39,310
The idea first trust relationship that is configured between an aided first server and a Reliant Party.

84
00:08:39,820 --> 00:08:48,640
You can configure claim rules that define how the ruling party accepts claims from the claims provider.

85
00:08:50,290 --> 00:08:58,780
So Graham rules that you configure all of the on an ADA first claims provider are acceptance rules for

86
00:08:59,080 --> 00:09:09,340
rules which determine that claim types are accepted from the claims provider and sent to a reliant partner

87
00:09:09,340 --> 00:09:09,910
trust.

88
00:09:10,510 --> 00:09:18,310
When configuring ADA first within a single organization, a default claims provider trust is configured

89
00:09:18,640 --> 00:09:20,800
with a locally to this domain.

90
00:09:21,430 --> 00:09:27,760
This rule set defines the claims that are accepted from it.

91
00:09:27,760 --> 00:09:28,300
It is.

92
00:09:29,190 --> 00:09:36,540
Three types of claim rules exist for a reliable party trust, namely insurance.

93
00:09:36,570 --> 00:09:38,240
Transform rules.

94
00:09:38,760 --> 00:09:47,640
This rules define the claims that are sent to the ruling party that was defined in the ruling party

95
00:09:47,640 --> 00:09:48,180
trust.

96
00:09:49,170 --> 00:09:50,640
The next type is.

97
00:09:51,660 --> 00:09:54,030
Issuance authority rules.

98
00:09:54,630 --> 00:09:57,630
These rules define which users.

99
00:09:58,650 --> 00:10:03,060
Are permitted or denied access to the ruling party.

100
00:10:03,360 --> 00:10:05,760
Defiant in the ruling party trust.

101
00:10:06,570 --> 00:10:17,700
This rule set can include rules that explicitly permit access to a ruling party and rules that explicitly

102
00:10:17,940 --> 00:10:21,510
deny deny access to a ruling party.

103
00:10:22,200 --> 00:10:33,030
And another type of claim rules for rely on board to trust is delegation authorisation rules.

104
00:10:33,720 --> 00:10:42,600
Loose rules define the claims that specify which users connect on behalf of other users when accessing

105
00:10:42,600 --> 00:10:44,010
the ruling party.

106
00:10:44,830 --> 00:10:55,150
This rule set can include rules that explicitly permit delegates for a related party or rules that explicitly

107
00:10:55,150 --> 00:10:58,060
deny delegates for a ruling party.

108
00:10:59,070 --> 00:11:08,340
Blues knew that you can associate a single claim rule with only a single federated trust relationship.

109
00:11:09,120 --> 00:11:13,820
This means that you cannot create a set of rules for one.

110
00:11:13,830 --> 00:11:14,850
Trust them.

111
00:11:15,150 --> 00:11:22,050
Reduce those rules for other trusts that you configure on your federation server.

112
00:11:23,290 --> 00:11:32,230
ADF servers are pre-configured with a set of default rules and several default templates that you can

113
00:11:32,230 --> 00:11:35,200
use to create common claim rules.

114
00:11:35,740 --> 00:11:41,680
You can create custom claim rules by using the ADA first claim rule language.

115
00:11:42,430 --> 00:11:46,980
Next up, we'll be talking about war to the claims provider trust.