locked
AD FS 3.0 timestamp (date and time) of access as outgoing claim RRS feed

  • Question

  • So this is a really simple question. Is it possible to have the timestamp of access/ request as an outgoing claim from either the acceptance or issuance claim rules? If so, how?

    This is relevant in implementing claims-based access control based on the time of day (production hours, off-peak hours etc.). I don't see this seeming feasible using LDAP query as claims, so maybe there is some configuration that will allow sending timestamps as claims?

    Wednesday, February 10, 2016 8:57 PM

Answers

  • There are always two default claims:

    http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod =

    urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport

    http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant =

    2016-02-10T21:54:27.969Z

    • Marked as answer by PSapprentice Wednesday, February 17, 2016 8:54 AM
    Wednesday, February 10, 2016 10:01 PM

All replies

  • There are always two default claims:

    http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod =

    urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport

    http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant =

    2016-02-10T21:54:27.969Z

    • Marked as answer by PSapprentice Wednesday, February 17, 2016 8:54 AM
    Wednesday, February 10, 2016 10:01 PM
  • Hi nzpcmad1, thanks for your reponse. I can't believe I missed this in the claims description!

    One thing is weird though, I can never make a passthrough rule to pass these claims to the service provider. Even if I create a passthrough rule in the acceptance rules and issuance rules (even in the authorization rules just to be sure), these claims never get to the service provider. However, if I create some kind of a transform rule, the claims do get to the service provider. What I mean is, the following does NOT work:'

    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant"]
     => issue(claim = c);

    but the following works just fine:

    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant"]
     => issue(Type = "http://someotherauthenticationinstant", Value = c.Value);
    

    can you, or anyone, explain this behavior?

    Thursday, February 11, 2016 11:50 PM