locked
Setting and extracting ADFS Claims using "Microsoft.IdentityServer.Web" RRS feed

  • Question

  • We have ADFS setup with our own Multi-Factor Authentication Method. It's working fine.

    We are tying to layer in some additional claims to our Office 365 Identity Platform (Relying Party Trust).

    The goal is to pull the AD Groups for a user when they login, then use their security group information to use a specific Security Policy within our own MFA Service. For example: If user is in any group that contains "admin", then set a claim result that tells us the security policy value for "admin" users.

    We have two questions: A) Are these claims below ok?  B) Code example using "Microsoft.IdentityServer.Web" methods to retrieve the claims. (So far nothing we have tried is retrieving the claims we added.)

    ===============================================================================

    Here are the claims set in ADFS for Microsoft Office 365 Identity Platoform. (The first two were setup initially, the next two rules (3 & 4) are our new claim rules.

    1. c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
     => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/claims/UPN", "http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"), query = "samAccountName={0};userPrincipalName,objectGUID;{1}", param = regexreplace(c.Value, "(?<domain>[^\\]+)\\(?<user>.+)", "${user}"), param = c.Value);

    2. c:[Type == "http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"]
     => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Value = c.Value, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified");

    3. c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
     => add(store = "Active Directory", types = ("http://schemas.xmlsoap.org/claims/Group"), query = ";memberOf;{0}", param = c.Value);

    4. c:[Type == "http://schemas.xmlsoap.org/claims/Group", Value =~ "(?i)admin"]
     => issue(Type = "http://customurl.com/SecPol", Value = "AdminSecPolNameHere");

    ===============================================================

    Under the ADFS Claims Provider Trusts, we have a single Entry: "Active Directory".

    In this Trust, the following claim rules are set:

    • Pass through all 'group' claims.

    ===============================================================

    Any help, or links explaining how to do this would be appreciated.

    • Edited by amfa_guru Thursday, August 30, 2018 12:32 PM
    Thursday, August 30, 2018 12:19 PM

Answers

  • In the end, we enabled our ADFS adapter to simply query AD directly to get user roles.

    This worked fine. The MSFT ADFS 3rd Party Adapter "Jail House" does not permit access to this information.

    Marking this as solved by me.

    • Marked as answer by amfa_guru Thursday, February 7, 2019 4:11 PM
    Thursday, February 7, 2019 4:11 PM

All replies

  • After discussions with Microsoft, we were told this is not supported. End of story.
    Friday, October 26, 2018 4:14 PM
  • In the end, we enabled our ADFS adapter to simply query AD directly to get user roles.

    This worked fine. The MSFT ADFS 3rd Party Adapter "Jail House" does not permit access to this information.

    Marking this as solved by me.

    • Marked as answer by amfa_guru Thursday, February 7, 2019 4:11 PM
    Thursday, February 7, 2019 4:11 PM