locked
Custom Claim Rule RRS feed

  • Question

  • We have a vendor asking to receive two claims.

    1. A claim with the user's email address without the http://schemas.xmlsoap.org/ws/2005/05/identity/claims/ URI, just the attribute name of 'Emailaddress'.

       Before:

      <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">

            <AttributeValue>someone@company.com</AttributeValue>

          </Attribute>

     After:

          <Attribute Name="EmailAddress">

            <AttributeValue>someone@company.com</AttributeValue>

          </Attribute>

    2. They want to receive another attribute named 'GroupName' with the static value of 'User'.

          <Attribute Name="GroupName">

            <AttributeValue>User</AttributeValue>

          </Attribute>

    This is probably simple, but I just can't get it to work.

    Your advice is appreciated.



    • Edited by 10890lrl Friday, July 21, 2017 5:37 PM
    Friday, July 21, 2017 5:36 PM

Answers

  • Normal rule like:

    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
     => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"), query = ";mail;{0}", param = c.Value);

    Changed rule e.g.

    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
     => issue(store = "Active Directory", types = ("EmailAddress"), query = ";mail;{0}", param = c.Value);

    • Marked as answer by 10890lrl Monday, July 24, 2017 5:49 PM
    Sunday, July 23, 2017 6:44 PM

All replies

  • Hi, isn't vendor able to provide screenshots of claim mapping? They must have tested this config and documented.

    Friday, July 21, 2017 5:56 PM
  • I would have thought so too. This vendor has just begun using Federation and I think they are experiencing a learning curve like we did.

    Any thoughts on how to provide this?

    Thanks



    • Edited by 10890lrl Saturday, July 22, 2017 12:14 PM
    Friday, July 21, 2017 9:34 PM
  • Normal rule like:

    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
     => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"), query = ";mail;{0}", param = c.Value);

    Changed rule e.g.

    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
     => issue(store = "Active Directory", types = ("EmailAddress"), query = ";mail;{0}", param = c.Value);

    • Marked as answer by 10890lrl Monday, July 24, 2017 5:49 PM
    Sunday, July 23, 2017 6:44 PM
  • Thanks. I tested and received the following error. Did you receive the same error?

    Thanks

    The Federation Service encountered an error while processing the WS-Trust request.
    Request type: http://schemas.microsoft.com/idfx/requesttype/issue

    Additional Data
    Exception details:
    System.ArgumentException: ID4216: The ClaimType 'EmailAddress' must be of format 'namespace'/'name'.
    Parameter name: claimType
       at Microsoft.IdentityModel.Threading.AsyncResult.End(IAsyncResult result)
       at Microsoft.IdentityModel.Threading.TypedAsyncResult`1.End(IAsyncResult result)
       at Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService.EndIssue(IAsyncResult result)
       at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.Issue(RequestSecurityToken request, IList`1& identityClaimSet)

    Now this is interesting. This URL shows something different... https://social.technet.microsoft.com/wiki/contents/articles/1431.ad-fs-2-0-the-admin-event-log-shows-error-111-with-system-argumentexception-id4216.aspx

    "SAML 1.1 tokens have strict URI rules which state that the format must be  'namespace'/'name'. These can be constructed many ways, and here are a few common examples:
    myOrganization/myClaimType
    urn:myOrganization:claims/myClaimType
    http://myOrganization/claims/myClaimType

    SAML 2.0 tokens do not have the same URI requirements, and simple names can be used. Examples:
    emailAddress
    costCenter   "


    • Edited by 10890lrl Monday, July 24, 2017 4:38 PM
    Monday, July 24, 2017 4:32 PM
  • Got it figured out. My claims tester site was WS-Fed. I tested it using SAML 2.0 and it works! Thanks

    <AttributeStatement>
                <Attribute Name="EmailAddress">
                    <AttributeValue>me@company.com</AttributeValue>
                </Attribute>

    My second question was about a static entry. Do you have any thoughts on this?

    Attribute Name="GroupName"

    AttributeValue=User

    Monday, July 24, 2017 4:53 PM
  • Got the static claim figured out too.

     => issue(Type = "GroupName", Value = "User");

    Thanks again!

    Monday, July 24, 2017 5:48 PM
  • Glad you got it figured out.

    This seems to be a problem with SAP products.

    I always recommend that people try and use the SAML 1.1 format.

    In particular, it causes problems when you federate with another <g class="gr_ gr_13 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" data-gr-id="13" id="13">ADFS</g> and you want to pass the claim across because the <g class="gr_ gr_12 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" data-gr-id="12" id="12">federation</g> connection is WS-Fed.

    • Edited by nzpcmad1 Monday, July 24, 2017 7:36 PM sp
    Monday, July 24, 2017 7:32 PM