3.1.1.11.1.4 Claims Issuance

Active Directory generates claims for a principal using a configuration called the Claims Dictionary. The following is a high-level overview of claims issuance in Active Directory:

  1. The claim Type of the claim is the value of the name attribute of the msDS-ClaimType object.

  2. The claim Value or Values are retrieved from the source specified in the msDS-ClaimSourceType attribute of the msDS-ClaimType object (or computed dynamically in the case of constructed claims). At least one value must be present for this claim to be issued.

  3. The claim ValueType is generated based on the claim Values.

Refer to the GetClaimsForPrincipal claims procedure (section 3.1.1.11.2.1) for a normative description of claims issuance.