First Ideas for a Claim Rule Engine

I am looking for applications of my scripting languages. I want to use AjLang, the core of AjSharp, written in C#. One use case could be a claim rule engine. To understand what I have in mind, and the federated security jargon/landscape, see:

The Role of the Claims Engine
The Role of the Claim Rule Language
The Role of Claim Rules
The Role of the Claims Pipeline
The Role of Claims

Given a set of input claims, the system should produce a set of output claims, using user defined rules. A rule could be written as:

rule RuleEmail
   description “….”
   claim cmail
   cmail in InputClaims
   cmail.Type == “email” 
   claim cname = new Claim(…. )
   // more cname processing, maybe extracting a value from email
end rule

Something like my example at but more oriented to C# syntax (i.e. the use of native .EndsWith in the above example)

If I had omitted cmail in InputClaims, the claim will be searched in all claim sets.

Additional item: to have a web interface to edit and browse rules.

The rules would be executed in order. I could write rule sets, to group rules to be executed. For example: Identity Provider rule set, to be applied to the claim set provider by an IP, i.e. Windows Live, Yahoo, etc. Or a Relying Party rule set, defined by application: accounting system, human resource system, finance, etc..

In the “then” part, additional functions could be call. The functions would be added by the developer to the rule engine environment, maybe with dynamic loading of a library. Then, the actions will be extensible by code. The “when” part could use additional predicates, too. But the base idea is to have an initial set of predicates and actions that cover the main use cases: testing property values, creating new claims, setting their property values, adding to a claim set (InputClaims, OutputClaims or any other set defined by the programmer).

One thing to decide: what happens if there are TWO or more claims that satisfy then when clause? the rule should fire only once? or n times? I remember the cut operator from Prolog, but I guess it could be simpler. I should explore the use cases.

No time allocated for these ideas, yet. But keep tuned!

Angel “Java” Lopez

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s