locked
ADFS Custom Claim Rule pulling Office AD attribute RRS feed

  • Question

  • Okay guys,

    I am trying to pull the office attribute in ADFS 2.0 and send it as a claim. Can someone please help me?

    I created a custom claim description: which in all honesty I do not know if this is correct

    http://schemas.microsoft.com/ws/2005/05/identity/claims/office

    I then went to the relying party trust and tried two things;

    1. I created a Pass through or Filter an Incoming Claim

    passed the incoming claim type "office" and checked the check box pass through all claim values

    2. I created a custom rule

    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
     => issue(store = "Active Directory", types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/office"), query = ";office;{0}", param = c.Value);

    In all honesty I have never dwelled this far into ADFS to create a claim. They have always been pretty clear cut and just used LDAP Attributes as Claims, but as you know, Office is not a part of that. 

    Is this possible, or am I chasing a unicorn? 

    Thanks guys!

    Tyler

    Thursday, October 20, 2016 2:19 PM

Answers


  • Sorry I though you meant you already identified the attribute in AD and it was called office.

    If you refer to this section:

    The rules will be:

    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
     => issue(store = "Active Directory", types = ("http://mycompany.com/claims/office"), query = ";physicalDeliveryOfficeName;{0}", param = c.Value);

    Note that you can put whatever you want for the namespace (here I put mycompany.com/claims). It does have to be a valid URL but it has to be a URI format though. Just avoid using a namespace that you don't own otherwise it might conflict with other trust at some point and some weird results might occur.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Proposed as answer by Liinus Friday, October 21, 2016 2:37 PM
    • Marked as answer by Wundah Bredman Monday, October 24, 2016 5:40 PM
    Thursday, October 20, 2016 7:53 PM

All replies

  • This should work. Use your own namespace though. It's a good practice not to modify stuff in namespaces you don't own.

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Thursday, October 20, 2016 3:47 PM
  • My own namespace where?

    Also would it be office? Or location? or l?

    Tyler

    Thursday, October 20, 2016 5:28 PM

  • Sorry I though you meant you already identified the attribute in AD and it was called office.

    If you refer to this section:

    The rules will be:

    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
     => issue(store = "Active Directory", types = ("http://mycompany.com/claims/office"), query = ";physicalDeliveryOfficeName;{0}", param = c.Value);

    Note that you can put whatever you want for the namespace (here I put mycompany.com/claims). It does have to be a valid URL but it has to be a URI format though. Just avoid using a namespace that you don't own otherwise it might conflict with other trust at some point and some weird results might occur.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Proposed as answer by Liinus Friday, October 21, 2016 2:37 PM
    • Marked as answer by Wundah Bredman Monday, October 24, 2016 5:40 PM
    Thursday, October 20, 2016 7:53 PM