AD FS 2.0: Selectively send group membership(s) as a claim

AD FS 2.0: Selectively send group membership(s) as a claim

You can send group membership as claims by using the built in templates

  • Create a new rule, choose “Send LDAP Attributes as Claims”
  • Choose Active Directory as the Attribute Store, and choose the LDAP Attribute “Token-Groups – Unqualified Names” and the claim type as “Group”
  • This will send *ALL* group membership information as claims. 

If you do not want to send all of them, you can send a subset of them by creating two separate custom rules.

First Rule:

The first rule gathers all group membership, and adds them to the incoming claim set. This allows the next rule to parse through them, and only pull ones that you want. The order is important, so make sure the first rule is executed before the second one.

Syntax:

 c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORTIY"]
=> add(store = "Active Directory", types = ("http://schemas.xmlsoap.org/claims/Group"), query = ";memberOf;{0}", param = c.Value);


Second Rule:
 

The second rule parses through all the group claims, and issues (sends) the ones that match the specific values you want: for example, ones that start with “ADFS”

Syntax:

c:[Type == "http://schemas.xmlsoap.org/claims/Group", Value =~ "(?i)adfs"
=> issue(claim = c);

Additional Option for the Second Rule:
Some detail regarding another option for the second rule - With the example below, you can use additional group attributes (info=Role, in this case) to select which of the users groups become role claims.  Note that the 'info' attribute is displayed in the AD console as 'Notes', so the administrator can put the word 'Role' into the notes field of a group and it will be automatically made into a role claim for any users that are direct members of that group.  Indirect membership in the group (via group nesting) will not work with this example (which I happen to like for role claims).  This example still requires the first rule, as described above.

c1:[Type == "http://schemas.xmlsoap.org/claims/Group"]
 && c2:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
 => issue(store = "Active Directory", types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/role"), query = "(&(distinguishedName={0})(info=Role));name;{1}", param = c1.Value, param = c2.Value);
Leave a Comment
  • Please add 3 and 3 and type the answer here:
  • Post
Wiki - Revision Comment List(Revision Comment)
Wikis - Comment List
Sort by: Published Date | Most Recent | Most Useful
Posting comments is temporarily disabled until 10:00am PST on Saturday, December 14th. Thank you for your patience.
Comments
  • Can you explain the query syntax Joji? I've read a few articles and examples which say the format should be QUERY = "<query filter>;<attributes>" but the example above (rule one) seems to have a blank filter, then 'memberof' as an attribute to return, THEN the claim value substituted as a value.

    Thanks,

    Ed.

  • egrigson:  From technet.microsoft.com/.../adfs2-help-attribute-stores(v=ws.10).aspx :

    Note

    For the Active Directory attribute store, if you do not specify the QUERY_FILTER, the default filter of samAccountName={0} is used. In this case, you must provide at least one parameter to the query (using the PARAM keyword) to substitute for the samAccountName value.

  • How can I filter the groups by domain?  I've got child subdomains that I don't control.  This ruleset would allow them to create groups in their domains that would then be passed through ADFS to the SP, allowing them to impersonate group membership.  I know that I can statically define groups though SIDs, but I was hoping to restrict the logic you posted about to a particular domain.

  • Excellent example, Joji!  I was thinking about doing this with a custom attribute store, because I didn't think that CTL would be sufficient for this.  Thanks!

  • Excellent example, Joji!  I was thinking about doing this with a custom attribute store, because I didn't think that CTL would be sufficient for this.  Thanks!

Page 1 of 1 (5 items)