I am working with one of the sample WIF applications (ClaimsAwareAppWithManagedSTS) and testing some claims authorization rules.
I have one rule that permits all users and I'm trying to have another that denies a user based on the value of the role claim. The rule I have is this:
EXISTS([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/role", Value =~ "(?i)contractor"])
=> issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "true");
But this doesn't work. However, if I change the rule slightly to deny based on a name like this, it does work:
EXISTS([Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", Value =~ "(?i)ben"])
=> issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "true");
Can anyone advise what the problem is? The role claim is definitely present and is displayed in the sample WIF application.
Steve G