Claims are statements (for example, name, identity, key, group, privilege, or capability) made about users—and understood by both partners in an Active Directory Federation Services (AD FS) federation—that are used for authorization purposes in an application. A claims-aware application is a Microsoft ASP.NET application that has been written using the AD FS class library. This type of application is fully capable of using AD FS claims to make authorization decisions directly. A claims-aware application accepts claims that the Federation Service sends in AD FS security tokens.

Membership in the Administrators local group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at

You can use the following procedure to add a claims-aware application to the Federation Service trust policy.

To add a claims-aware application
  1. Click Start, point to Administrative Tools, and then click Active Directory Federation Services.

  2. In the console tree, double-click Federation Service, Trust Policy, and My Organization.

  3. Right-click Applications, point to New, and then click Application.

  4. On the Welcome to the Add Application Wizard page, click Next.

  5. On the Application Type page, click Claims-aware application, and then click Next.

  6. On the Application Details page, do the following, and then click Next:

    • In Application display name, type the name of the application.

    • In Application URL, type the Uniform Resource Locator (URL) of the application.


    This URL must match the return URL that is configured on the AD FS Web Agent for this application.

  7. On the Accepted Identity Claims page, select each identity claim type that the application will use to make authorization decisions, and then click Next:

    • If the application requires user principal name (UPN) identity claims to make authorization decisions, select the User principal name (UPN) check box.

    • If the application requires e-mail identity claims to make authorization decisions, select the E-mail check box.

    • If the application requires common name identity claims to make authorization decisions, select the Common name check box.

  8. If you do not want to enable the claims-aware application now, on the Enable this Application page, clear the Enable this application check box, and then click Next.

  9. To add the new claims-aware application and close the wizard, click Finish.