none
ADFS Claim to Flatten Groups and Return full DN

    Question

  • Is there way to create a claim that will the return the DN of all groups and super-groups a user is a MemberOf?

    Currently running Windows 2012 R2 ADFS.

    Example:

    I have a structure of groups like the following.

    GrandparentGroup ParentGroupA (memberOf=GrandparentGroup) ParentGroupB (memberOf=GrandparentGroup) GroupA (memberOf=ParentGroupA) GroupB (memberOf=ParentGroupA) GroupC (memberOf=ParentGroupB) GroupD (memberOf=ParentGroupB) UserA (memberOf=GroupA) UserB (memberOf=GroupA, memberOf=GroupB)

    I want to return the full-DNs of GroupA, ParentGroupA, and GrandparentGroup when UserA logs in.

    If building a claim is not possible are there other was to handle this scenario with ADFS?


    • Edited by tstaffo Friday, March 20, 2015 5:18 PM Added more details.
    Friday, March 20, 2015 3:28 PM

Answers

  • It is possible. There is an LDAP filter for this hence there is an claim rule :)

    The LDAP filter to list all groups (included nested groups) of a user is:

    (member:1.2.840.113556.1.4.1941:=<DN of the user)

    So for example: (member:1.2.840.113556.1.4.1941:=CN=Alice,OU=Accounts,DC=contoso,DC=com)

    Now how does it translate into a claim rule and ultimately a claim... First of all, I create 2 claim definitions. One called UserDN with the id http://contoso.com/myclaims/UserDN and MemberOfDN with the id http://contoso.com/myclaims/MemberOfDN. You guessed that the first one will receive the DN of the user and the second all the DN of al members the user is a member of.

    Edit the claims rules of your relying party and add the following two custom rules (in this order).
    First rule:

    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
     => add(store = "Active Directory", types = ("http://contoso.com/myclaims/UserDN"), query = ";distinguishedName;{0}", param = c.Value);

    This will add the DN into the pipe. You can replace the add statement by issue and it will also add the DN to the token but it is not your request :)

    Second rule:

    c1:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
    &&
    c2:[Type == "http://contoso.com/myclaims/UserDN"]
     => issue(store = "Active Directory", types = ("http://contoso.com/myclaims/MemberOfDN"), query = "(member:1.2.840.113556.1.4.1941:={1});distinguishedName;{0}", param = c1.Value, param = c2.Value);

    This one does the LDAP request mentioned earlier and send the result into the MemberOfDN claim.

    Tell us if it works for you!


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Marked as answer by tstaffo Tuesday, March 24, 2015 7:35 PM
    Saturday, March 21, 2015 1:53 AM

All replies

  • It is possible. There is an LDAP filter for this hence there is an claim rule :)

    The LDAP filter to list all groups (included nested groups) of a user is:

    (member:1.2.840.113556.1.4.1941:=<DN of the user)

    So for example: (member:1.2.840.113556.1.4.1941:=CN=Alice,OU=Accounts,DC=contoso,DC=com)

    Now how does it translate into a claim rule and ultimately a claim... First of all, I create 2 claim definitions. One called UserDN with the id http://contoso.com/myclaims/UserDN and MemberOfDN with the id http://contoso.com/myclaims/MemberOfDN. You guessed that the first one will receive the DN of the user and the second all the DN of al members the user is a member of.

    Edit the claims rules of your relying party and add the following two custom rules (in this order).
    First rule:

    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
     => add(store = "Active Directory", types = ("http://contoso.com/myclaims/UserDN"), query = ";distinguishedName;{0}", param = c.Value);

    This will add the DN into the pipe. You can replace the add statement by issue and it will also add the DN to the token but it is not your request :)

    Second rule:

    c1:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
    &&
    c2:[Type == "http://contoso.com/myclaims/UserDN"]
     => issue(store = "Active Directory", types = ("http://contoso.com/myclaims/MemberOfDN"), query = "(member:1.2.840.113556.1.4.1941:={1});distinguishedName;{0}", param = c1.Value, param = c2.Value);

    This one does the LDAP request mentioned earlier and send the result into the MemberOfDN claim.

    Tell us if it works for you!


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Marked as answer by tstaffo Tuesday, March 24, 2015 7:35 PM
    Saturday, March 21, 2015 1:53 AM
  • I followed the instructions above and it worked perfectly. Thanks so much for the help.
    Tuesday, March 24, 2015 7:34 PM
  • Is it possible to define a base DN? Basically can I have it only return groups and supergroups starting from a particular point in the AD/LDAP tree?
    Thursday, August 20, 2015 3:18 PM