So I had a situation where there was a workflow involved and a user could not have access until they had been validated by an administrator.
So I created a claim called:
(Remember, these are URI not URL!).
Then in the Issuance Transform Rules tab, I had the normal LDAP rule to create the claim from an AD attribute and in the Issuance Authorization Rules tab I had a rule that said that if that claim had a value of "True" than allow access. I deleted the default "Allow access to anyone" rule.
Problem was - it didn't work?
Had a chat with Mr. Google (and it was a long chat!) and eventually figured out that each tab stands on its own i.e. there is no cross-pollination between them. The fact that you have a rule in one tab means nothing in another.
You have to repeat the rules in each tab.
Then all was sweetness and light!