Remove From My Forums

Custom Claim Rule

Question
0

Sign in to vote
We have a vendor asking to receive two claims.

1. A claim with the user's email address without the http://schemas.xmlsoap.org/ws/2005/05/identity/claims/ URI, just the attribute name of 'Emailaddress'.

   Before:

<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">

        <AttributeValue>someone@company.com</AttributeValue>

      </Attribute>

After:

      <Attribute Name="EmailAddress">

        <AttributeValue>someone@company.com</AttributeValue>

      </Attribute>

2. They want to receive another attribute named 'GroupName' with the static value of 'User'.

      <Attribute Name="GroupName">

        <AttributeValue>User</AttributeValue>

      </Attribute>

This is probably simple, but I just can't get it to work.

Your advice is appreciated.
- Edited by 10890lrl Friday, July 21, 2017 5:37 PM
Friday, July 21, 2017 5:36 PM

Answers

0

Sign in to vote
Normal rule like:

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"), query = ";mail;{0}", param = c.Value);

Changed rule e.g.

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("EmailAddress"), query = ";mail;{0}", param = c.Value);
- Marked as answer by 10890lrl Monday, July 24, 2017 5:49 PM
Sunday, July 23, 2017 6:44 PM

All replies

0

Sign in to vote

Hi, isn't vendor able to provide screenshots of claim mapping? They must have tested this config and documented.

Friday, July 21, 2017 5:56 PM
0

Sign in to vote
I would have thought so too. This vendor has just begun using Federation and I think they are experiencing a learning curve like we did.

Any thoughts on how to provide this?

Thanks
- Edited by 10890lrl Saturday, July 22, 2017 12:14 PM
Friday, July 21, 2017 9:34 PM
0

Sign in to vote
Normal rule like:

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"), query = ";mail;{0}", param = c.Value);

Changed rule e.g.

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("EmailAddress"), query = ";mail;{0}", param = c.Value);
- Marked as answer by 10890lrl Monday, July 24, 2017 5:49 PM
Sunday, July 23, 2017 6:44 PM
0

Sign in to vote
Thanks. I tested and received the following error. Did you receive the same error?

Thanks

The Federation Service encountered an error while processing the WS-Trust request.
Request type: http://schemas.microsoft.com/idfx/requesttype/issue

Additional Data
Exception details:
System.ArgumentException: ID4216: The ClaimType 'EmailAddress' must be of format 'namespace'/'name'.
Parameter name: claimType
   at Microsoft.IdentityModel.Threading.AsyncResult.End(IAsyncResult result)
   at Microsoft.IdentityModel.Threading.TypedAsyncResult`1.End(IAsyncResult result)
   at Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService.EndIssue(IAsyncResult result)
   at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.Issue(RequestSecurityToken request, IList`1& identityClaimSet)

Now this is interesting. This URL shows something different... https://social.technet.microsoft.com/wiki/contents/articles/1431.ad-fs-2-0-the-admin-event-log-shows-error-111-with-system-argumentexception-id4216.aspx

"SAML 1.1 tokens have strict URI rules which state that the format must be 'namespace'/'name'. These can be constructed many ways, and here are a few common examples:
myOrganization/myClaimType
urn:myOrganization:claims/myClaimType
http://myOrganization/claims/myClaimType

SAML 2.0 tokens do not have the same URI requirements, and simple names can be used. Examples:
emailAddress
costCenter   "
- Edited by 10890lrl Monday, July 24, 2017 4:38 PM
Monday, July 24, 2017 4:32 PM
0

Sign in to vote
Got it figured out. My claims tester site was WS-Fed. I tested it using SAML 2.0 and it works! Thanks

<AttributeStatement> <Attribute Name="EmailAddress"> <AttributeValue>me@company.com</AttributeValue> </Attribute>

My second question was about a static entry. Do you have any thoughts on this?

Attribute Name="GroupName"

AttributeValue=User
Monday, July 24, 2017 4:53 PM
0

Sign in to vote

Got the static claim figured out too.

=> issue(Type = "GroupName", Value = "User");

Thanks again!

Monday, July 24, 2017 5:48 PM
1

Sign in to vote
Glad you got it figured out.

This seems to be a problem with SAP products.

I always recommend that people try and use the SAML 1.1 format.

In particular, it causes problems when you federate with another <g class="gr_ gr_13 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" data-gr-id="13" id="13">ADFS</g> and you want to pass the claim across because the <g class="gr_ gr_12 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" data-gr-id="12" id="12">federation</g> connection is WS-Fed.
- Edited by nzpcmad1 Monday, July 24, 2017 7:36 PM sp
Monday, July 24, 2017 7:32 PM

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Answered by:

Custom Claim Rule

Question

Answers

All replies