locked
Querying URL from Group RRS feed

  • Question

  • Howdy,

    I'd like to retrieve URL field value from each group user is member of. 

    I'm able to get it correctly if I write URL in user account:
    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
     => add(store = "Active Directory", types = ("http://temp/url"), query = ";url;{0}", param = c.Value);

    What about groups? What am I missing?


    Thank you in advance.
    Filippo

    Tuesday, May 28, 2019 9:32 AM

Answers

  • Assuming you have a mono domain/forest AD environment, you could have the following rules:

    1. Extract and send groups

    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
     => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/claims/Group"), query = ";tokenGroups;{0}", param = c.Value);
    

    Of course you could replace the issue statement by add if you actually do not need the groups themselves in the token.

    2. Extract and send the url attribute for each of the previously extracted groups:

    c1:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
     && c2:[Type == "http://schemas.xmlsoap.org/claims/Group"]
     => issue(store = "Active Directory", types = ("http://temp/url"), query = "(&(objectCategory=group)(samaccountname={1}));url;{0}", param = c1.Value, param = c2.Value);
    


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Tuesday, May 28, 2019 2:58 PM

All replies

  • Assuming you have a mono domain/forest AD environment, you could have the following rules:

    1. Extract and send groups

    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
     => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/claims/Group"), query = ";tokenGroups;{0}", param = c.Value);
    

    Of course you could replace the issue statement by add if you actually do not need the groups themselves in the token.

    2. Extract and send the url attribute for each of the previously extracted groups:

    c1:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
     && c2:[Type == "http://schemas.xmlsoap.org/claims/Group"]
     => issue(store = "Active Directory", types = ("http://temp/url"), query = "(&(objectCategory=group)(samaccountname={1}));url;{0}", param = c1.Value, param = c2.Value);
    


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Tuesday, May 28, 2019 2:58 PM
  • Works like a charm. Thanks for help!
    Wednesday, May 29, 2019 12:18 PM