Answered by:
ADFS send selective groups again, wierd issue.

Question
-
The following works correctly if a user is a member of a group that starts with "CA_" but if they are not it returns all groups for a given user which I think is not right.
@RuleTemplate = "LdapClaims"
@RuleName = "get-groups"
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> add(store = "Active Directory", types = ("http://x.y.z/phase1"), query = ";memberOf;{0}", param = c.Value);@RuleName = "p2"
c:[Type == "http://x.y.z/phase1"]
=> add(Type = "http://x.y.z/phase2", Value = RegExReplace(c.Value, ",[^\n]*", ""));@RuleName = "p3"
c:[Type == "http://x.y.z/phase2"]
=> issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/group", Value = RegExReplace(c.Value, "^CN=", ""));@RuleName = "filter-group"
c:[Type == "http://schemas.xmlsoap.org/claims/Group", Value =~ "(?i)CA_"]
=> issue(claim = c);and ideas or more likely what am I doing wrong.
thanks greatly
tr
Wednesday, July 13, 2016 12:52 PM
Answers
-
here is the working version, needed to make it and "add" in p3 not issue.
@RuleTemplate = "LdapClaims"
@RuleName = "ca-dev"
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname", "urn:oid.0.9.2342.100.1.1"), query = ";userPrincipalName,sn,givenName,userPrincipalName;{0}", param = c.Value);@RuleName = "get-groups"
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> add(store = "Active Directory", types = ("http://x.y.z/phase1"), query = ";memberOf;{0}", param = c.Value);@RuleName = "p2"
c:[Type == "http://x.y.z/phase1"]
=> add(Type = "http://x.y.z/phase2", Value = RegExReplace(c.Value, ",[^\n]*", ""));@RuleName = "p3"
c:[Type == "http://x.y.z/phase2"]
=> add(Type = "http://schemas.xmlsoap.org/claims/Group", Value = RegExReplace(c.Value, "^CN=", ""));
@RuleName = "filter-group"
c:[Type == "http://schemas.xmlsoap.org/claims/Group", Value =~ "(?i)CA_"]
=> issue(claim = c);- Marked as answer by Pierre Audonnet [MSFT]Microsoft employee Monday, July 18, 2016 5:47 PM
Wednesday, July 13, 2016 9:30 PM
All replies
-
p3 issues the groups stripped of everything except the name as http://schemas.microsoft.com/ws/2008/06/identity/claims/group
But then you use http://schemas.xmlsoap.org/claims/Group as another issue. Where does this come from?
Wednesday, July 13, 2016 9:18 PM -
here is the working version, needed to make it and "add" in p3 not issue.
@RuleTemplate = "LdapClaims"
@RuleName = "ca-dev"
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname", "urn:oid.0.9.2342.100.1.1"), query = ";userPrincipalName,sn,givenName,userPrincipalName;{0}", param = c.Value);@RuleName = "get-groups"
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> add(store = "Active Directory", types = ("http://x.y.z/phase1"), query = ";memberOf;{0}", param = c.Value);@RuleName = "p2"
c:[Type == "http://x.y.z/phase1"]
=> add(Type = "http://x.y.z/phase2", Value = RegExReplace(c.Value, ",[^\n]*", ""));@RuleName = "p3"
c:[Type == "http://x.y.z/phase2"]
=> add(Type = "http://schemas.xmlsoap.org/claims/Group", Value = RegExReplace(c.Value, "^CN=", ""));
@RuleName = "filter-group"
c:[Type == "http://schemas.xmlsoap.org/claims/Group", Value =~ "(?i)CA_"]
=> issue(claim = c);- Marked as answer by Pierre Audonnet [MSFT]Microsoft employee Monday, July 18, 2016 5:47 PM
Wednesday, July 13, 2016 9:30 PM -
So is that resolved? :)
Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.
Thursday, July 14, 2016 12:45 PM -
sorry yes.Thursday, July 14, 2016 3:09 PM