locked
ADFS 2.0 Custom claim rule‏ RRS feed

  • Question

  • Hi Experts,

    Is it possible to check conditions and decide which claim needs to send

    For eg:- we need to send EmployeeNumber attribute as a claim but some users does not have employeenumber. In that case we need to send SID of the user object as a claim. Is this possible? If yes, could you pls provide the syntax

    Regards, Nidhin.CK

    Wednesday, August 17, 2016 10:11 PM

Answers

  • Yes it is with several rules. Here is an example with 3 rules:

    Rule 1: get the employeeID from AD an store it in the claim type of your choice (here: http://yournamespace/employeeID)

    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
     => issue(store = "Active Directory", types = ("http://yournamespace/employeeID"), query = ";employeeID;{0}", param = c.Value);
    

    Rule 2: Check if we got a value, if not then we create a new claim that we add to the pipeline that states that we don't have a value (I use the custom claim employeeIDcheck this time).

    NOT EXISTS([Type == "http://yournamespace/employeeID"]) 
     =>add( Type = "http://yournamespace/employeeIDcheck", Value = "FAILED" ) ;

    Rule 3: If the employeeIDcheck is set with the value 'FAILED' and that we have the SID of the user in the pipeline (we have it by default since it is in the acceptance rules of claim provider trust for AD, then we issue the SID as an employeeID:

    c1:[Type == "http://yournamespace/employeeIDcheck", Value == "FAILED" ] && c2:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid" ]
     => issue( Type = "http://yournamespace/employeeID", Value = c2.Value );
    

    Give it a try with the claim type you'd like.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Marked as answer by Nidhin CK Thursday, August 18, 2016 1:07 AM
    Thursday, August 18, 2016 12:11 AM

All replies

  • Yes it is with several rules. Here is an example with 3 rules:

    Rule 1: get the employeeID from AD an store it in the claim type of your choice (here: http://yournamespace/employeeID)

    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
     => issue(store = "Active Directory", types = ("http://yournamespace/employeeID"), query = ";employeeID;{0}", param = c.Value);
    

    Rule 2: Check if we got a value, if not then we create a new claim that we add to the pipeline that states that we don't have a value (I use the custom claim employeeIDcheck this time).

    NOT EXISTS([Type == "http://yournamespace/employeeID"]) 
     =>add( Type = "http://yournamespace/employeeIDcheck", Value = "FAILED" ) ;

    Rule 3: If the employeeIDcheck is set with the value 'FAILED' and that we have the SID of the user in the pipeline (we have it by default since it is in the acceptance rules of claim provider trust for AD, then we issue the SID as an employeeID:

    c1:[Type == "http://yournamespace/employeeIDcheck", Value == "FAILED" ] && c2:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid" ]
     => issue( Type = "http://yournamespace/employeeID", Value = c2.Value );
    

    Give it a try with the claim type you'd like.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Marked as answer by Nidhin CK Thursday, August 18, 2016 1:07 AM
    Thursday, August 18, 2016 12:11 AM
  • I actually check for employeeID not employeeNumber, but you got the drift :)

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Thursday, August 18, 2016 12:13 AM
  • Thanks a lot Pierre.. I made one more change, because while sending the employee number we need to remove static value called WD.. So total no of rule is 4

    Rule 1

    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
     => add(store = "Active Directory", types = ("SKP_UserName"), query = ";employeeNumber;{0}", param = c.Value);
    

    Rule 2

    c:[Type == "SKP_UserName"]
     => issue(Type = "SKP_UserName", Value = RegExReplace(c.Value, "^(WD)", ""));
    

    Rule 3

    NOT EXISTS([Type == "SKP_UserName"])
     => add(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/employeeIDcheck", Value = "FAILED");
    

    Rule 4

    c1:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/employeeIDcheck", Value == "FAILED"]
     && c2:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid"]
     => issue(Type = "SKP_UserName", Value = c2.Value);
    


    Regards, Nidhin.CK

    Thursday, August 18, 2016 1:10 AM