locked
Conditional Groups claim RRS feed

  • Question

  • Hi,

    I want to issue a claim with a specific value based on a group membership. However, if the user is NOT member of the group I want to issue the same claim but with a different value.

    This is the claim if the user is member of a certain AD group. The value passed is PROFESSIONAL:

    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value == "S-1-5-21-507921405-261903793-839522115-54884", Issuer == "AD AUTHORITY"]
     => issue(Type = "FD_abovorm", Value = "PROFESSIONAL", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, ValueType = c.ValueType);

    Now I want to pass the value DIGITAL if the user is NOT member of the group.
    How can I do that?

    Regards,

    Chiel Varkevisser

    Thursday, August 10, 2017 3:24 PM

Answers

  • You can create a second rule like:

    NOT EXISTS([Type == "FD_abovorm"])
     => issue(Type = "FD_abovorm", Value = "DIGITAL);

    Or you can create the opposite of the first one and in that case you can create the rule before or after the one you created:

    NOT EXISTS([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value == "S-1-5-21-507921405-261903793-839522115-54884", Issuer == "AD AUTHORITY"])
     => issue(Type = "FD_abovorm", Value = "DIGITAL") ;


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Marked as answer by ChielV Friday, August 11, 2017 3:45 PM
    Thursday, August 10, 2017 4:37 PM
  • Yes, you will have to enable the Audit in ADFS, and on the OS for the category "Application Generated".

    Then you will have events 500 and 501 in the Security event log listing the claims available in the pipeline.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Marked as answer by ChielV Friday, August 11, 2017 3:45 PM
    Friday, August 11, 2017 2:49 PM

All replies

  • You can create a second rule like:

    NOT EXISTS([Type == "FD_abovorm"])
     => issue(Type = "FD_abovorm", Value = "DIGITAL);

    Or you can create the opposite of the first one and in that case you can create the rule before or after the one you created:

    NOT EXISTS([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value == "S-1-5-21-507921405-261903793-839522115-54884", Issuer == "AD AUTHORITY"])
     => issue(Type = "FD_abovorm", Value = "DIGITAL") ;


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Marked as answer by ChielV Friday, August 11, 2017 3:45 PM
    Thursday, August 10, 2017 4:37 PM
  • Hi Pierre,

    Thanks! Is there also a way to see what outgoing claims and their values were send to the other party? I checked the debug log but could not find it.

    Friday, August 11, 2017 1:39 PM
  • Yes, you will have to enable the Audit in ADFS, and on the OS for the category "Application Generated".

    Then you will have events 500 and 501 in the Security event log listing the claims available in the pipeline.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Marked as answer by ChielV Friday, August 11, 2017 3:45 PM
    Friday, August 11, 2017 2:49 PM