TechOnTip Weblog

Run book for Technocrats

«
»

Custom ADFS Claim Rules – Country/Office/CountryCode/SpecificGroup/FixedValue/ObjectGuid/eduPerson

Posted by Brajesh Panda on February 4, 2016

Earlier I have posted an article about Claim Language. Here it is: https://techontip.wordpress.com/2014/03/10/the-claims-rule-language-in-active-directory-federation-services/

In this article I am going to show you few regularly used custom claims, for which you need to write custom claim rules.

Before you create custom claim rules make sure you have claim descriptions created.

Custom Claim

country, office, countrycode_iso

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]

=> issue(store = "Active Directory", types = ("http://custom.techontipadfs.com/adattribute/country", "http://custom.techontipadfs.com/adattribute/office", "http://custom.techontipadfs.com/adattribute/countrycode_iso"), query = ";co,physicalDeliveryOfficeName,c;{0}", param = c.Value);

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Filtered Groups – Pass specific groups starting with a value like referral

http://blogs.technet.com/b/askds/archive/2013/05/07/ad-fs-2-0-claims-rule-language-part-2.aspx

https://social.technet.microsoft.com/wiki/contents/articles/8008.ad-fs-2-0-selectively-send-group-membership-s-as-a-claim.aspx

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Rule 1: GroupAdd

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]

=> add(store = "Active Directory", types = ("http://schemas.xmlsoap.org/claims/Group"), query = ";tokenGroups;{0}", param = c.Value);

Rule 2: GroupFilter

# Just filter one group

c:[Type == "http://schemas.xmlsoap.org/claims/Group", Value =~ "(?i)referral"]

=> issue(claim = c);

# Filter out multiple groups.

c:[Type == "http://schemas.xmlsoap.org/claims/Group", Value =~ "(?i)referral|(?i)techontip deals"]

=> issue(claim = c);

Note: Here (?i) is for not case sensitive, and | is for OR

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pass fixed value

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]

=> issue(type = "Test1", value = "Techontip Int User");

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]

=> issue(Type = "orgdir", Value = "techontip");

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pass ObjectGUID

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]

=> issue(store = "Active Directory", types = ("http://custom.techontipadfs.com/adattribute/ObjectGUID"), query = ";ObjectGUID;{0}", param = c.Value);

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

ObjectGuid

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]

=> issue(store = "Active Directory", types = ("http://custom.techontipadfs.com/adattribute/ObjectGUID"), query = ";ObjectGUID;{0}", param = c.Value);

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Transform to eduPerson Claims

Shibboleth is preconfigured to assert multiple attributes of the eduPerson object class, which is specially designed for higher education institutions. These are not configured by default in AD FS 2.0. Also, Shibboleth expects inbound SAML attributes names to use a different name format (urn:oasis:names:tc:SAML:2.0:attrname-format:uri) than AD FS 2.0 publishes by default (urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified). For these reasons, we will use the AD FS 2.0 custom rule language to generate Shibboleth-compliant claims.

http://technet.microsoft.com/en-us/library/gg317734%28v=ws.10%29.aspx#BKMK_EditClaimRulesforRelyingPartyTrust

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1. 1st add a normal LDAP Claim – like UserPrincipal to UPN

2. 2nd Transform above claim to eduPerson claim. Below example converts above UPN to eduPerson. Here "urn:oid:0.9.2342.19200300.100.1.1" can be anything, as per application config.

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"%5D

=> issue(Type = "urn:oid:0.9.2342.19200300.100.1.1", Value = c.Value, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/attributename"%5D = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri");

This entry was posted on February 4, 2016 at 12:19 am and is filed under ADFS, Mix & Match. Tagged: . You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

One Response to “Custom ADFS Claim Rules – Country/Office/CountryCode/SpecificGroup/FixedValue/ObjectGuid/eduPerson”

  1. Полезная документация по ADFS — Links for IT folks said

    July 29, 2020 at 11:30 am

    […] Полезные кастомные правила ADFS claims […]

    Reply

Leave a comment

«
»