locked
Adding constraints to a Claims Provider Trust RRS feed

  • Question

  • Hi,
    I'm setting up a Claims Provider Trust with a partner organization, and I want to make sure that claims that they issue only contain valid e-mail and UPN suffixes from their organization. All UPN/E-Mail suffixes end with "contoso.com", but they have several sub-domains "it.contoso.com", "accounting.contoso.com" etc. I've tried to use the option "Pass through only claim values that match a specific email suffix value" on the "Pass through or Filter an Incoming Claim" rule template. But it seems that I can only specify one suffix, and it must match exactly what comes after @.

    So I tried creating a custom rule as follows:

    c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", Value =~ "conotoso.com$"]
      => issue (claim = c);

    But the problem is that even with this rule applied to the Claims Provider Trust, claims that does not match the suffix regex are passed through. I've tried to set up the same rule on a RP Trust to my application, and the claims are filtered out, but it doesn't seem to work on Claims Provider Trusts.

    I haven't been able to find any documentation on this either. What am I doing wrong?

    Tuesday, August 28, 2018 8:20 PM

All replies

  • You could use the following rule:

    c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", Value =~ getemailsuffixregex("contoso.com")]
     => issue(claim = c);

    BUT you need to make sure you do not have another rule that pass the emailaddress claim. What are the other rules set on the CPT?


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Wednesday, August 29, 2018 8:27 PM
  • Hi,
    Your rule works if the e-mail suffix is contoso.com, but it does not work if the e-mail suffix is subdomain.contoso.com

    I need a rule that catches all sub-domains as well.

    Thursday, October 25, 2018 9:07 PM
  • Then:

    c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", Value =~ "contoso.com$"]
     => issue(claim = c);


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, October 26, 2018 2:20 PM