none
Claim rule in ADFS -- We have some claim rules. Below are the issues we faced while writing them RRS feed

  • Question

  • Background : We have onboarded an application in ADFS SSO. We have some claim rules. Below are the issues we faced while writing them

    Issue1:

    1)We created a claim (SiteAdmin Final) to pass “True” in an attribute called SiteAdmin if the user is a member of group1.  We still need to find a way to pass “False” if the user is not a member of this group.

     We could not see a way to put an if then condition in the claim.  So we created another claim (Not SiteAdmin) to pass the “False” value.  Unfortunately, this didn’t work.  Could anyone please suggest on this.

    c:[Type != "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value == "S-1-5-21-1685022438-1589898947-2178108365-191542", Issuer == "AD AUTHORITY"]
    => issue(Type = "SiteAdmin", Value = "False", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, ValueType != c.ValueType);

    unable to execute false condition 

    Issue2:

    2)we  need to adjust the issuance Authorization rules to only allow member of group1 and group2 to access this application. How can we add this claim?



    • Edited by Ajay201990 Friday, April 19, 2019 11:00 AM
    Friday, April 19, 2019 10:39 AM

All replies

  • Let's say your AD group which give you the claim SiteAdmin to True is: S-1-5-21-1685022438-1589898947-2178108365-191542

    You would have rule number 1:

    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value == "S-1-5-21-1685022438-1589898947-2178108365-191542", Issuer == "AD AUTHORITY"]
     => issue(Type = "SiteAdmin", Value = "True", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, ValueType = c.ValueType);

    Then rule 2:

    NOT EXIST([Type == "SiteAdmin"])
     => issue(Type = "SiteAdmin", Value = "False", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, ValueType = c.ValueType);

    For the second question, it depends your version of ADFS. Are you using ADFS 2012 R2 or 2016 (or 2019?)?


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Saturday, April 20, 2019 6:59 PM
    Owner
  • hi

    I am Using ADFS 2012 standard 

     
    • Edited by Ajay201990 Monday, April 22, 2019 10:42 AM
    Monday, April 22, 2019 10:42 AM
  • With ADFS 2.1 (Windows Server 2012) simply put these rules on the Authorization Rules tab and create another rule that will permit access only if SiteAdmin is True (if that is the goal) and remove the default "Permit Everyone" rule.

    Thursday, May 16, 2019 7:01 PM