Custom claim rule in ADFS

Question

We have a claim rule in our ADFS in order to send a users email address as NameID:-

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");

but we need to be able to examine the email address we read from AD prior to sending this information and if the SMTP domain is an external SMTP domain, such as @Microsoft.com, we need to change the value we send to be the UPN of the user, rather than the email of this user.

Is this even possible?

Answer 1

Not the full answer, but the methodology would be as follows

• First generate a temporary claim with 'add' (instead of 'issue') by checking via RegExMatch.
• Next use EXISTS directive to check for the above temp claim type with an '&&' clause of email address and issue do the issue as above for nameID
• Next use NOT EXISTS directive to check for the above temp claim type and '&&' with UPN claim type and issue the UPN as the nameID

This assumes that you have both claim types in the input working set. This is why you need the '&&' directive. If not, the simpler approach is to directly read of Active Directory for the issue. You won't need the '&&' in this case.

https://social.technet.microsoft.com/wiki/contents/articles/4792.understanding-claim-rule-language-in-ad-fs-2-0-higher.aspx is a great article for doing more complex transformations using the claims rule language.

Thanks // Sam (@MrADFS)