locked
ADFS send selective groups again, wierd issue. RRS feed

  • Question

  • The following works correctly if a user is a member of a group that starts with "CA_" but if they are not it returns all groups for a given user which I think is not right.

    @RuleTemplate = "LdapClaims"

    @RuleName = "get-groups"
    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
     => add(store = "Active Directory", types = ("http://x.y.z/phase1"), query = ";memberOf;{0}", param = c.Value);

    @RuleName = "p2"
    c:[Type == "http://x.y.z/phase1"]
     => add(Type = "http://x.y.z/phase2", Value = RegExReplace(c.Value, ",[^\n]*", ""));

    @RuleName = "p3"
    c:[Type == "http://x.y.z/phase2"]
     => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/group", Value = RegExReplace(c.Value, "^CN=", ""));

    @RuleName = "filter-group"
    c:[Type == "http://schemas.xmlsoap.org/claims/Group", Value =~ "(?i)CA_"]
     => issue(claim = c);

    and ideas or more likely what am I doing wrong.

    thanks greatly

    tr

    Wednesday, July 13, 2016 12:52 PM

Answers

  • here is the working version, needed to make it and "add" in p3 not issue.

    @RuleTemplate = "LdapClaims"
    @RuleName = "ca-dev"
    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
     => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname", "urn:oid.0.9.2342.100.1.1"), query = ";userPrincipalName,sn,givenName,userPrincipalName;{0}", param = c.Value);
    @RuleName = "get-groups"
    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
     => add(store = "Active Directory", types = ("http://x.y.z/phase1"), query = ";memberOf;{0}", param = c.Value);

    @RuleName = "p2"
    c:[Type == "http://x.y.z/phase1"]
     => add(Type = "http://x.y.z/phase2", Value = RegExReplace(c.Value, ",[^\n]*", ""));

    @RuleName = "p3"
    c:[Type == "http://x.y.z/phase2"]
     => add(Type = "http://schemas.xmlsoap.org/claims/Group", Value = RegExReplace(c.Value, "^CN=", ""));

    @RuleName = "filter-group"
    c:[Type == "http://schemas.xmlsoap.org/claims/Group", Value =~ "(?i)CA_"]
     => issue(claim = c);

    Wednesday, July 13, 2016 9:30 PM

All replies

  • p3 issues the groups stripped of everything except the name as http://schemas.microsoft.com/ws/2008/06/identity/claims/group

    But then you use http://schemas.xmlsoap.org/claims/Group as another issue. Where does this come from?

    Wednesday, July 13, 2016 9:18 PM
  • here is the working version, needed to make it and "add" in p3 not issue.

    @RuleTemplate = "LdapClaims"
    @RuleName = "ca-dev"
    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
     => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname", "urn:oid.0.9.2342.100.1.1"), query = ";userPrincipalName,sn,givenName,userPrincipalName;{0}", param = c.Value);
    @RuleName = "get-groups"
    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
     => add(store = "Active Directory", types = ("http://x.y.z/phase1"), query = ";memberOf;{0}", param = c.Value);

    @RuleName = "p2"
    c:[Type == "http://x.y.z/phase1"]
     => add(Type = "http://x.y.z/phase2", Value = RegExReplace(c.Value, ",[^\n]*", ""));

    @RuleName = "p3"
    c:[Type == "http://x.y.z/phase2"]
     => add(Type = "http://schemas.xmlsoap.org/claims/Group", Value = RegExReplace(c.Value, "^CN=", ""));

    @RuleName = "filter-group"
    c:[Type == "http://schemas.xmlsoap.org/claims/Group", Value =~ "(?i)CA_"]
     => issue(claim = c);

    Wednesday, July 13, 2016 9:30 PM
  • So is that resolved? :)

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Thursday, July 14, 2016 12:45 PM
  • sorry yes.
    Thursday, July 14, 2016 3:09 PM