CODEWITHSUNDEEP
samlsaml-2.0adfs
SJT
SJT

Reputation: 21

Custom ADFS claim rules

I am implementing SAML with a web based application and ADFS. The authentication side of thing is working but we now need to pass extra information. The application requires the SAML response in the following format:

<saml:AttributeStatement>
 <saml:Attribute Name="mailNickname">
 <saml:AttributeValue xsi:type="xs:string">joe.smith182</saml:AttributeValue>
 </saml:Attribute>
 <saml:Attribute Name="memberOf">
 <saml:AttributeValue>CN=SCHOOL.STUDENT.YR9,OU=Groups,OU=Portal,OU=Services,DC=ABC,DC=WIN</saml:AttributeValue>
 </saml:Attribute>
 <saml:Attribute Name="sn">
 <saml:AttributeValue xsi:type="xs:string">Smith</saml:AttributeValue>
 </saml:Attribute>
 <saml:Attribute Name="givenName">
 <saml:AttributeValue xsi:type="xs:string">Joe</saml:AttributeValue>
 </saml:Attribute>
 <saml:Attribute Name="mail">
 <saml:AttributeValue xsi:type="xs:string">[email protected]</saml:AttributeValue>
 </saml:Attribute>
 <saml:Attribute Name="borrowerType">
 <saml:AttributeValue xsi:type="xs:string">Student</saml:AttributeValue>
 </saml:Attribute>
<saml:AttributeStatement>

What claim rules will we need to setup in ADFS to get this information passed in this format? In particular how can we get the memberOf attribute? I'm not that familiar with claim rule formatting in ADFS so any advice would be appreciated.

Upvotes: 2

Views: 2483

Answers (1)

Stefan Rasmusson
Stefan Rasmusson

Reputation: 5595

If your adding a rule using the claim guide its quite simple. I dont remember how the inteface looks, but when you add a claim, choose the claim rule template: Send LDAP Attributes as Claims.

Then type a name and choose memberships(or something like it) in the LDAP attribute dropdown and type memeberOf in the outgoing claim type.

Then save the rule and you shoudl be good to go

If you want to have a custom attribute name add these two rules

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
 => add(store = "Active Directory", types = ("memberOf"), query = ";memberOf;{0}", param = c.Value);


c:[Type == "memberOf"]
 => issue(Type = "YOUR_CUSTOM_NAME", Value = c.Value);

Upvotes: 1

Related Questions