none
Configuring user mapping by RRS feed

  • Question

  • Hallo,

    currently in my company we face problems, when defining the claim rules of the AD FS servers, which are meant to enable us using single sign on for our SAP Fiori Launchpad, therefor we need to provide the mapping to the sap user and we defined two claim rules.

    In most cases windows and sap name are same, so we made one rule mapping sAMAccountName to the sap user name

    and the second rule was about mapping wWWHomePage to the sap user name (we misused this field in cases where sap and windows user were different) to the sap user name.

    Each rule for itself worked out, but in combination the following error occurred

    @ event-id: 186

    Ensure that the issuance transform rules that are configured for the relying party do not result in multiple claims based on SamlNameIdentifierClaimResource.

    Is there a way to combine these two rules?

    Thanks in advance, any help is really appreciated.

    Greetings Johannes

    Tuesday, October 22, 2019 3:26 PM

Answers

  • I would not pick the wWWHomePage as it is a multi-value attribute... But as long as it has only one value, the following will work.

    4 custom rules, in the specific order:

    1. Extract both samaccountname and the wwwhomepage and store then in temp variables:

    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
     => add(store = "Active Directory", types = ("claim:/temp/samaccountname", "claim:/temp/sap"), query = ";sAMAccountName,wWWHomePage;{0}", param = c.Value);


    2. Create a temp variable if there is no wwwhomepage to be used later in another rule

    NOT EXISTS([Type == "claim:/temp/sap"])
     => add(Type = "claim:/temp/altid", Value = "FALSE");

    3. If there is a wwwhomepage, we send it as a NameID

    c:[Type == "claim:/temp/sap"]
     => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified");

    4. Else, if there is no wwwhomepage, we send the samaccountname

    c1:[Type == "claim:/temp/samaccountname"] && c2:[Type == "claim:/temp/altid", Value == "FALSE"] 
     => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c1.Issuer, OriginalIssuer = c1.OriginalIssuer, Value = c1.Value, ValueType = c1.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified");

    Let us know how it goes.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Marked as answer by Joohaannes Wednesday, October 23, 2019 1:41 PM
    Wednesday, October 23, 2019 2:32 AM
    Owner

All replies

  • I would not pick the wWWHomePage as it is a multi-value attribute... But as long as it has only one value, the following will work.

    4 custom rules, in the specific order:

    1. Extract both samaccountname and the wwwhomepage and store then in temp variables:

    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
     => add(store = "Active Directory", types = ("claim:/temp/samaccountname", "claim:/temp/sap"), query = ";sAMAccountName,wWWHomePage;{0}", param = c.Value);


    2. Create a temp variable if there is no wwwhomepage to be used later in another rule

    NOT EXISTS([Type == "claim:/temp/sap"])
     => add(Type = "claim:/temp/altid", Value = "FALSE");

    3. If there is a wwwhomepage, we send it as a NameID

    c:[Type == "claim:/temp/sap"]
     => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified");

    4. Else, if there is no wwwhomepage, we send the samaccountname

    c1:[Type == "claim:/temp/samaccountname"] && c2:[Type == "claim:/temp/altid", Value == "FALSE"] 
     => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c1.Issuer, OriginalIssuer = c1.OriginalIssuer, Value = c1.Value, ValueType = c1.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified");

    Let us know how it goes.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Marked as answer by Joohaannes Wednesday, October 23, 2019 1:41 PM
    Wednesday, October 23, 2019 2:32 AM
    Owner
  • Hallo Pierre,

    thanks for your fast reply, worked like a charm without any further adaptions from our side.

    We really appreciate your help and provided solution.

    Greetings Johannes

    Wednesday, October 23, 2019 1:53 PM