This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 13%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
We are a community college and I want to make a custom rule in ADFS based on OU membership.
This rule must send out value 'Employee' or 'Student' based on the OU the account is located in.
I can't use AD groups because there isn't any group containing all the accounts.
(Like Active, Future, Alumni etc. they are all separated, not my choice by the way)
According to this thread: https://social.technet.microsoft.com/Forums/en-US/762a4ab1-1649-442c-91a4-654ee7b3664f/limiting-adfs-20-to-an-org-unit?forum=winserverDS
I tried:
eduPersonAffiliation Student
c:[Type == "http://temp.org/adobjectdn",Value =~ "^.*(OU=Students,OU=OurDomain Users,DC=OurDomain,DC=local)$"] => issue(Type = "eduPersonAffiliation", Value = "Student", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, ValueType = c.ValueType);
eduPersonAffiliation Employee
c:[Type == "http://temp.org/adobjectdn",Value =~ "^.*(OU=Employees,OU=OurDomain Users,DC=OurDomain,DC=local)$"] => issue(Type = "eduPersonAffiliation", Value = "Employee", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, ValueType = c.ValueType);
Do I have to change that temp.org? Or must I define adobjectdn?
I checked the regex expression and that works.
I hope anyone can help me, thanks in advance!
Let's have the full solution on this new platform to avoid the back and fourth to the original post to the old platform :)
First you need a rule that extract the distinguishedName attribute of the user:
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> add(store = "Active Directory", types = ("claim:/temp/dn"), query = ";distinguishedName;{0}", param = c.Value);
Couple of things about this rule. It needs to be placed first to ensure that the subsequent rules have the output of this rule to work with. Then, it is an "add" statement, not an "issue" statement. It means that the output of the rule will not be in the final token. When we use "add" we just make the output of the rule available for other rules. Then the claim type "claim:/temp/dn" is just a temporary variable. It can have any name really. It is a good practice that claim type have a URI format, but because we don't issue this temporary claim, we don't really care really. Also, you do not need to add this claim type in the claim definition of your ADFS console.
Then you check if the user is in the Student OU. The easiest way to do it is with the following rule:
c:[Type == "claim:/temp/dn", Value =~ "(OU=Students)"]
=> issue(Type = "eduPersonAffiliation", Value = "Student");
We simply check if the temporary variable which holds the distinguishedName of the user has the string "OU=Students" in it. You don't have to add th entire path of the OU. And the check is case sensitive. So make sure it has the right spelling. This time it is an issue statement because we want the claim type "eduPersonAffiliation" to be in the final token. Note that you do not need "Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, ValueType = c.ValueType" as this information will actually not be issued in the token anyway. Also, the claim type "eduPersonAffiliation" doesn't have a URI format. Which seems to be fine for your relying party as it uses SAML2. If the relying party was using WS-Federation the token issuance would fail. And at the end of the day, it is the application owner that decide what is the claim type they need. So not really your call...
And the final rule:
c:[Type == "claim:/temp/dn", Value =~ "(OU=Employees)"]
=> issue(Type = "eduPersonAffiliation", Value = "Employee");
So you add those three rules as custom claim rules in this order and you will be fine.
Let us know how that goes.
Thank you guys! The last one was the solution. And piaudonn, thank you for the great explanation!
I was very pleased with the solution but now I have to take it a step further.
I must run a query against a SQL database but only if it is a student.
So I tried to the solution to only issue this based on the claim if it is a student.
EduPersonUnit
c:[Type == "claim:/temp/dn", Value =~ "^CN=.*(,OU=Students,OU=Users,DC=domain,DC=local)$"]
=> issue(store = "SQLstore", types = ("EduPersonUnit"), query = "select dbo.ufnEduPersonUnitforAdfs ({0}) as nlEduPersonUnit;", param = c.Value);
But this resolves in an error.
What is my mistake here?
You must define the entire value there, in other words add a claims rule that sets the "http://temp.org/adobjectdn" (what you name it doesn't really matter btw) value of the DN attribute.
Can you help me how I add a claim rule that sets the "http://temp.org/adobjectdn" ?
That's basically step one from the post you cited above. Open the AD FS console, go to the AD entry, create a new claims rule using the default LDAP template, select the attribute and the name of the claim and that's pretty much it.
IWithin 'Claim Descriptions' I've added 'AD Distinguished Name' with Claim Type http://temp.org/adobjectdn but still doesn't work.
As I was searching more I found this article:
https://stackoverflow.com/questions/58123989/unsuccessfull-issuance-authorization-rule-with-regex
Here a user is using it as a Issuance Authorization Rule:
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/distinguishedname"), query = ";DistinguishedName;{0}", param = c.Value);
If I just could use that to parse to my rule it would work...