Custom ADFS Claim Rules – Country/Office/CountryCode/SpecificGroup/FixedValue/ObjectGuid/eduPerson
Posted by Brajesh Panda on February 4, 2016
Earlier I have posted an article about Claim Language. Here it is: https://techontip.wordpress.com/2014/03/10/the-claims-rule-language-in-active-directory-federation-services/
In this article I am going to show you few regularly used custom claims, for which you need to write custom claim rules.
Before you create custom claim rules make sure you have claim descriptions created.
Custom Claim
country, office, countrycode_iso
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("http://custom.techontipadfs.com/adattribute/country", "http://custom.techontipadfs.com/adattribute/office", "http://custom.techontipadfs.com/adattribute/countrycode_iso"), query = ";co,physicalDeliveryOfficeName,c;{0}", param = c.Value);
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Filtered Groups – Pass specific groups starting with a value like referral
http://blogs.technet.com/b/askds/archive/2013/05/07/ad-fs-2-0-claims-rule-language-part-2.aspx
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rule 1: GroupAdd
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> add(store = "Active Directory", types = ("http://schemas.xmlsoap.org/claims/Group"), query = ";tokenGroups;{0}", param = c.Value);
Rule 2: GroupFilter
# Just filter one group
c:[Type == "http://schemas.xmlsoap.org/claims/Group", Value =~ "(?i)referral"]
=> issue(claim = c);
# Filter out multiple groups.
c:[Type == "http://schemas.xmlsoap.org/claims/Group", Value =~ "(?i)referral|(?i)techontip deals"]
=> issue(claim = c);
Note: Here (?i) is for not case sensitive, and | is for OR
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Pass fixed value
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(type = "Test1", value = "Techontip Int User");
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(Type = "orgdir", Value = "techontip");
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Pass ObjectGUID
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("http://custom.techontipadfs.com/adattribute/ObjectGUID"), query = ";ObjectGUID;{0}", param = c.Value);
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ObjectGuid
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("http://custom.techontipadfs.com/adattribute/ObjectGUID"), query = ";ObjectGUID;{0}", param = c.Value);
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Transform to eduPerson Claims
Shibboleth is preconfigured to assert multiple attributes of the eduPerson object class, which is specially designed for higher education institutions. These are not configured by default in AD FS 2.0. Also, Shibboleth expects inbound SAML attributes names to use a different name format (urn:oasis:names:tc:SAML:2.0:attrname-format:uri) than AD FS 2.0 publishes by default (urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified). For these reasons, we will use the AD FS 2.0 custom rule language to generate Shibboleth-compliant claims.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1. 1st add a normal LDAP Claim – like UserPrincipal to UPN
2. 2nd Transform above claim to eduPerson claim. Below example converts above UPN to eduPerson. Here "urn:oid:0.9.2342.19200300.100.1.1" can be anything, as per application config.
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"%5D
=> issue(Type = "urn:oid:0.9.2342.19200300.100.1.1", Value = c.Value, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/attributename"%5D = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri");
Полезная документация по ADFS — Links for IT folks said
[…] Полезные кастомные правила ADFS claims […]