locked
ADFS custom claim rule - manager attribute (HELP!) RRS feed

  • Question

  • Hello -

    very new to creating custom claims for ADFS so please bare with me.  We have a SaaS application that requires manager attribute to be processed in claim rule.  I am having such a hard time configuring the ADFS rule because I do not know all these claims syntax.  However i'm tasked to get this done asap....please help!

    I'm trying to use example from here to get manager attribute

    https://technet.microsoft.com/en-us/library/ff678048(v=ws.11).aspx

    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
    => add(store = "Active Directory", types = ("http://schemas.xmlsoap.org/claims/ManagerDistinguishedName"), query = "sAMAccountName=
    {0};mail,userPrincipalName,extensionAttribute5,manager,department,extensionAttribute2,cn;{1}", param = regexreplace(c.Value, "(?
    <domain>[^\\]+)\\(?<user>.+)", "${user}"), param = c.Value);

    However when I put this in the ADFS claims rule, I get policy002 error...I don't know enough to troubleshoot this.

    Our vendor suggested to use these two rules

    Change Rule 1 to:

    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
    => add(store = "Active Directory", types = ("http://schemas.xmlsoap.org/claims/managerDN"), query = ";manager,{0}", 
    param = c.Value);

    Change Rule 2 to:

    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]

    && c1:[Type == "http://schemas.xmlsoap.org/claims/managerDN"]

    => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/claims/manager"), query = "distinguishedName={0};samAccountName", param = c1.Value);

    I'm able to add these rules without syntax errors, however when I do, I'm unable to log into SAAS anymore.  Basically I need custom rule to get manager attribute, and then extract samaccountname from that. 

    Can someone just help me???

    Thank you!!

    C


    Chau

    Wednesday, May 11, 2016 7:02 AM

Answers

  • Read the article and follow step by step:

    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
    => add(store = "Active Directory", types = ("http://test.com/phase1"), query = ";Manager;{0}", param = c.Value);

    c:[Type == "http://test.com/phase1"]

    => add(Type = "http://test.com/phase2", Value = RegExReplace(c.Value, ",[^\n]*", ""));

    c:[Type == "http://test.com/phase2"]

    => issue(Type = "http://schemas.xmlsoap.org/claims/manager", Value = RegExReplace(c.Value, "^CN=", ""));


    • Marked as answer by Charlie1313 Friday, May 13, 2016 6:55 PM
    Friday, May 13, 2016 1:12 AM
  • Read the article many times.  I do not know how to use Regex, I do not know syntax for custom claims.  This is all like a new language to me, trying to figure this out through logic.

    In the example they are using groups

    I don't understand what is the meaning of the "test.com" in the example

    Example: “CN=Group1,OU=Users,DC=contoso,DC=com” is put into a phase 1 claim.

    Does that mean you put this here?

    types = ("http://test.com/phase1")  ---->   types=("CN=Group1,OU=Users,DC=contoso,DC=com")


    -C-

    • Marked as answer by Charlie1313 Friday, May 13, 2016 6:55 PM
    Friday, May 13, 2016 6:15 AM

All replies

  • Somewhat confused here!

    Apps. consume claims they don't produce them

    The user authenticates via ADFS on AD and ADFS then passes claims to the SaaS app.?

    What claims do you want to pass to the app.?

    Wednesday, May 11, 2016 6:51 PM
  • The manager attribute in AD, but in samaccountname format, current manager attribute is DN format

    Chau

    Wednesday, May 11, 2016 7:00 PM
  • Please give an example of the current Manager DN format and the desired sAMAccountName format.

     
    Wednesday, May 11, 2016 7:03 PM
  • We basically trying to do the same thing here

    https://technet.microsoft.com/en-us/library/ff678048(v=ws.11).aspx

    Scroll all the way to the bottom to the very last example

    Example: How to use two custom rules to extract the manager e-mail from an attribute in Active Directory

    instead of extracting manager email, we want samaccountname


    Chau

    Wednesday, May 11, 2016 7:08 PM
  • The syntax of those rules is wrong and contain extension attributes that are irrelevant.

    To repeat:

    Please give an example of the current Manager DN format and the desired sAMAccountName format.

    Wednesday, May 11, 2016 8:46 PM
  • Manager DN

    CN=abc,OU=IT,OU=LA,OU=somewhere,DC=company,DC=com

    Samaccountname is 3 character format - abc


    Chau

    Wednesday, May 11, 2016 9:58 PM
  • As I suspected - you can derive the sAMAccountName directly from the DN.

    No need for all this convoluted AD access :-).

    Use the example in Problem 1 here.

    You will see that they use "add" to create temporary claims rules e.g. phase1 and then an "issue" at the end.

    So start off with something like:

    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
    => add(store = "Active Directory", types = ("http://test.com/phase1"), query = ";manager;{0}", param = c.Value);

    then a regex to get just "abc" into phase2

    and then something like:

    c:[Type == http://test.com/phase2]
    =>issue(Type = “http://claim/sAMAccountName”, Value = c.Value);

    Check what is the exact format of the string "http://claim/sAMAccountName" that the SaaS application requires.

    If problems, paste all your rules here.


    Wednesday, May 11, 2016 11:15 PM
  • We were able to get the manager attribute using the following

    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
    => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/ManagerDN"), query = ";Manager;{0}", param = c.Value);


    Looks alot like yours except we have =>issue instead of add.

    SaaS provider logs confirm the Manager DN is being passed

    2016-05-12 16:22:50,229 [ajp-nio-8009-exec-62] DEBUG [ c.f.s.s.SAMLSubject] [4c0ec6f9-24e1-4547-aa1a-77a8c3116786 ] - Attributes {'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/ManagerDN' : ['CN=abc,OU=IT,OU=LA,OU=SomeOu,DC=company,DC=com', ], }

    How do we extract samaccountname from this?  Samaccount name is the "abc" part of the DN.  Don't know how to right REGEX


    Chau

    Thursday, May 12, 2016 10:03 PM
  • Use the regex in the link above.

    You can use the same code.

    Put the claim into phase1, drop everything after the first comma, add to working set “phase 2”, drop CN= at the beginning, add to outgoing claim set as the required claim.

    Thursday, May 12, 2016 11:21 PM
  • Is this what you're referring to?

    c:[Type == "http://test.com/phase1"]

    => add(Type = "http://test.com/phase2", Value = RegExReplace(c.Value, ",[^\n]*", ""));


    Chau

    Thursday, May 12, 2016 11:23 PM
  • Sorry but what do I replace "test.com/phase1" with?

    Chau

    Friday, May 13, 2016 12:20 AM
  • Read the article and follow step by step:

    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
    => add(store = "Active Directory", types = ("http://test.com/phase1"), query = ";Manager;{0}", param = c.Value);

    c:[Type == "http://test.com/phase1"]

    => add(Type = "http://test.com/phase2", Value = RegExReplace(c.Value, ",[^\n]*", ""));

    c:[Type == "http://test.com/phase2"]

    => issue(Type = "http://schemas.xmlsoap.org/claims/manager", Value = RegExReplace(c.Value, "^CN=", ""));


    • Marked as answer by Charlie1313 Friday, May 13, 2016 6:55 PM
    Friday, May 13, 2016 1:12 AM
  • Read the article many times.  I do not know how to use Regex, I do not know syntax for custom claims.  This is all like a new language to me, trying to figure this out through logic.

    In the example they are using groups

    I don't understand what is the meaning of the "test.com" in the example

    Example: “CN=Group1,OU=Users,DC=contoso,DC=com” is put into a phase 1 claim.

    Does that mean you put this here?

    types = ("http://test.com/phase1")  ---->   types=("CN=Group1,OU=Users,DC=contoso,DC=com")


    -C-

    • Marked as answer by Charlie1313 Friday, May 13, 2016 6:55 PM
    Friday, May 13, 2016 6:15 AM
  • I think we got it.  Here are the rules

    Rule 1 - Getting the manager attribute


    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
    => add(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/ManagerDN"), query = ";Manager;{0}", param = c.Value);

    Rule 2 - sending the DN to ManagerSAM? (I think - just following the example)

    c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/ManagerDN"]
    => add(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/ManagerSam", Value = RegExReplace(c.Value, ",[^\n]*", ""));

    Rule 3 - converting managerSAM to samaccountname with REGEX

    c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/ManagerSam"]
    => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/ManagerSam2", Value = RegExReplace(c.Value, "^CN=", ""));

    Please let me know if my descriptions are wrong


    -C-

    Friday, May 13, 2016 6:45 PM
  • You will want to validate in all cases the SamAccountname = your CN (the portion you are parsing out of DN). There is no AD requirement that they be the same and in some environments are not

    (In our case SamAccountName is set to be employeeID whereas CN (and therefore the first part of the DN is LastName, Firstname)

    Wednesday, May 18, 2016 5:05 PM
  • If the displayname is in a lastname, firstname format, then you can use a different RegEx.  I built the following claims:

    Manger Phase 1:

    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
     => add(store = "Active Directory", types = ("http://test.com/phase1"), query = ";Manager;{0}", param = c.Value);

    Manager Phase 2:

    c:[Type == "http://test.com/phase1"]
     => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/manager", Value = RegExReplace(c.Value, "\\|^CN=|,OU.*", ""));

    Works a charm.


    • Edited by BChristian Wednesday, December 12, 2018 6:06 AM typo
    Wednesday, December 12, 2018 6:05 AM
  • Is it solved? What's the status?


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Monday, December 17, 2018 12:05 AM
  • Configure ADFS relying party claim rules

    Edit the Claim rules to enable proper communication with the instance.

    Before you begin

    Role required: admin

    Procedure

    1. Log into the ADFS server and open the management console.
    2. Right-click the relying party trust and select Edit Claim Rules.
    3. Click the Issuance Transform Rules tab.
    4. Select Add Rules.
    5. Select Send LDAP Attribute as Claims as the claim rule template to use.
    6. Give the claim a name such as <kbd class="ph userinput" style="box-sizing:border-box;padding:4px 2px;margin:0px;outline:0px;font-family:Consolas, monaco, monospace;font-size:1em;color:inherit;background:rgb(245, 248, 250);border-radius:3px;box-shadow:rgba(0, 0, 0, 0.25) 0px -1px 0px inset;">Get LDAP Attributes</kbd>.
    7. Set the Attribute store to <kbd class="ph userinput" style="box-sizing:border-box;padding:4px 2px;margin:0px;outline:0px;font-family:Consolas, monaco, monospace;font-size:1em;color:inherit;background:rgb(245, 248, 250);border-radius:3px;box-shadow:rgba(0, 0, 0, 0.25) 0px -1px 0px inset;">Active Directory</kbd>, the LDAP Attribute to <kbd class="ph userinput" style="box-sizing:border-box;padding:4px 2px;margin:0px;outline:0px;font-family:Consolas, monaco, monospace;font-size:1em;color:inherit;background:rgb(245, 248, 250);border-radius:3px;box-shadow:rgba(0, 0, 0, 0.25) 0px -1px 0px inset;">E-Mail-Addresses</kbd>, and the Outgoing Claim Type to <kbd class="ph userinput" style="box-sizing:border-box;padding:4px 2px;margin:0px;outline:0px;font-family:Consolas, monaco, monospace;font-size:1em;color:inherit;background:rgb(245, 248, 250);border-radius:3px;box-shadow:rgba(0, 0, 0, 0.25) 0px -1px 0px inset;">E-mail Address</kbd>.
    1. This claim rule should look similar to the following rule language.

      c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
       => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", 
      Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, 
      Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] 
      = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");
    2. Click Finish.

    Monday, December 17, 2018 12:16 AM