TechOnTip Weblog

Run book for Technocrats

Custom ADFS Claim Rules – Country/Office/CountryCode/SpecificGroup/FixedValue/ObjectGuid/eduPerson

Posted by Brajesh Panda on February 4, 2016

Earlier I have posted an article about Claim Language. Here it is: https://techontip.wordpress.com/2014/03/10/the-claims-rule-language-in-active-directory-federation-services/

In this article I am going to show you few regularly used custom claims, for which you need to write custom claim rules.

Before you create custom claim rules make sure you have claim descriptions created.

Custom Claim

country, office, countrycode_iso

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]

=> issue(store = "Active Directory", types = ("http://custom.techontipadfs.com/adattribute/country", "http://custom.techontipadfs.com/adattribute/office", "http://custom.techontipadfs.com/adattribute/countrycode_iso"), query = ";co,physicalDeliveryOfficeName,c;{0}", param = c.Value);

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Filtered Groups – Pass specific groups starting with a value like referral

http://blogs.technet.com/b/askds/archive/2013/05/07/ad-fs-2-0-claims-rule-language-part-2.aspx

https://social.technet.microsoft.com/wiki/contents/articles/8008.ad-fs-2-0-selectively-send-group-membership-s-as-a-claim.aspx

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Rule 1: GroupAdd

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]

=> add(store = "Active Directory", types = ("http://schemas.xmlsoap.org/claims/Group"), query = ";tokenGroups;{0}", param = c.Value);

Rule 2: GroupFilter

# Just filter one group

c:[Type == "http://schemas.xmlsoap.org/claims/Group", Value =~ "(?i)referral"]

=> issue(claim = c);

# Filter out multiple groups.

c:[Type == "http://schemas.xmlsoap.org/claims/Group", Value =~ "(?i)referral|(?i)techontip deals"]

=> issue(claim = c);

Note: Here (?i) is for not case sensitive, and | is for OR

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pass fixed value

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]

=> issue(type = "Test1", value = "Techontip Int User");

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]

=> issue(Type = "orgdir", Value = "techontip");

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pass ObjectGUID

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]

=> issue(store = "Active Directory", types = ("http://custom.techontipadfs.com/adattribute/ObjectGUID"), query = ";ObjectGUID;{0}", param = c.Value);

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

ObjectGuid

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]

=> issue(store = "Active Directory", types = ("http://custom.techontipadfs.com/adattribute/ObjectGUID"), query = ";ObjectGUID;{0}", param = c.Value);

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Transform to eduPerson Claims

Shibboleth is preconfigured to assert multiple attributes of the eduPerson object class, which is specially designed for higher education institutions. These are not configured by default in AD FS 2.0. Also, Shibboleth expects inbound SAML attributes names to use a different name format (urn:oasis:names:tc:SAML:2.0:attrname-format:uri) than AD FS 2.0 publishes by default (urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified). For these reasons, we will use the AD FS 2.0 custom rule language to generate Shibboleth-compliant claims.

http://technet.microsoft.com/en-us/library/gg317734%28v=ws.10%29.aspx#BKMK_EditClaimRulesforRelyingPartyTrust

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1. 1st add a normal LDAP Claim – like UserPrincipal to UPN

2. 2nd Transform above claim to eduPerson claim. Below example converts above UPN to eduPerson. Here "urn:oid:0.9.2342.19200300.100.1.1" can be anything, as per application config.

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"%5D

=> issue(Type = "urn:oid:0.9.2342.19200300.100.1.1", Value = c.Value, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/attributename"%5D = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri");

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: