Issue multiple claims in a single rule

Is there a simple way to issue multiple claims in a single ADFS Claim rule? The only example I can see is ones which query an attribute store, and each retrieved column is mapped to a different claim type.

I tried an "obvious" approach of using Types rather than Type, putting the two types in brackets (as per SQL example), but then I need to supply multiple values - so I thought to use Values rather than Value. But it chokes at the Types part anyway.

This doesn't work:

c:[Type == incomingClaim, Value =~ incomingMatch]
 => issue(Types = (type1,type2), Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer,
      Values = (value1,value2), ValueType = c.ValueType);

Where incomingClaim,type1,type2,value1 and value2 are simple string literals, and incomingMatch is a regex.

Of course, I could do this as multiple claim rules, but I was hoping to keep things simple for now. - There are going to be ~5 outgoing claims, for now, but I want to set up some users to get all of the claims without having to set up 5 rules. The number of claims will increase as time goes by.

(I've only tagged as ADFS - I can't see any other obvious tags to include)


An ADFS rule is composed of a condition, the => token, a command (issue or add), and terminated with a semicolon. You cannot issue multiple literals per rule, but you can use powershell to make it easier to work with.

Instead of going in the UI, and going through that wizard 5 times, you can use Set-AdfsRelyingPartyTrust to set all of the rules at once.

Set-RelyingPartyTrust -TargetName SharePoint_Prod -IssuanceTransformRulesFile c:\drop\rules.txt

where rules.txt looks like

c:[Type == incomingClaim, Value =~ incomingMatch] => issue(Type = type1, Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = value1, ValueType = c.ValueType);
c:[Type == incomingClaim, Value =~ incomingMatch] => issue(Type = type2, Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = value2, ValueType = c.ValueType);
c:[Type == incomingClaim, Value =~ incomingMatch] => issue(Type = type3, Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = value3, ValueType = c.ValueType);
c:[Type == incomingClaim, Value =~ incomingMatch] => issue(Type = type4, Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = value4, ValueType = c.ValueType);
c:[Type == incomingClaim, Value =~ incomingMatch] => issue(Type = type5, Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = value5, ValueType = c.ValueType);

The difference relative to the UI? I used copy and paste.


While Mitch's approach is correct, there is a fundamental issue here. Using the mentioned cmdlet above:

Set-RelyingPartyTrust -TargetName SharePoint_Prod -IssuanceTransformRulesFile c:\drop\rules.txt

will replace ALL issuance transform rules with the contents of the text file. Correct me if I'm wrong, but there is no 'Append' option in this approach. Moreover, I'm not sure if it was actually tried, but this will result to an error. PS expects every rule to start with:

@RuleName = "$Rulename"

And if there is only 1 rule name for multiple rules, ADFS will prompt an error (I have not actually tried it). The best working option if you want to use the cmdlet is to have the text file to be something like this:

@RuleName = "RuleName1"
c:[Type == incomingClaim, Value =~ incomingMatch] => issue(Type = type1, Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = value1, ValueType = c.ValueType);

@RuleName = "RuleName2"
c:[Type == incomingClaim, Value =~ incomingMatch] => issue(Type = type2, Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = value2, ValueType = c.ValueType);

@RuleName = "RuleName3"
c:[Type == incomingClaim, Value =~ incomingMatch] => issue(Type = type3, Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = value3, ValueType = c.ValueType);

@RuleName = "RuleName4"
c:[Type == incomingClaim, Value =~ incomingMatch] => issue(Type = type4, Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = value4, ValueType = c.ValueType);

@RuleName = "RuleName5"
c:[Type == incomingClaim, Value =~ incomingMatch] => issue(Type = type5, Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = value5, ValueType = c.ValueType);

This is still relatively easier to code in PowerShell, but having multiple rule names for essentially very similar claim rules is a nuisance. It would still be best if you can actually issue multiple claims in just one rule statement. I hope this feature can be added in the future.