This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 95%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECD%3C/text%3E%3C/svg%3E)
hi I created the custom claim for that so please check the below claim which is created by me:
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/password"), query = "(&(objectClass=user)(objectCategory=person));mail,givenName,sn;{0}", param = c.Value);
using that claim I can log in successfully. you can check the below SS when clicking on the below link:
https://drive.google.com/file/d/1lV2zb6uV8PWzqk4qsgwVb6iFu-15O4bN/view?usp=sharing
but a problem like I get total email =500 but name=200 so I can not be mapping this, so I want this data with any particular one claim/rule
I already create below claim but this is not working:
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
&& c1:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/surname"]
&& c2:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/name"]
=> issue(Type = "http://Mydomainname.com/members", Value = c1.Value + " " + c2.Value);
So I want something like the above in one type of link and get all the details of all users.
please click on the below link the check hows my code for that getting outgoing claims:
https://drive.google.com/file/d/1Mwo7-ai0v1503dIr_37SkFhXZJYF-a4F/view?usp=sharing
Please guide me on what I can do for that my main concern is I want all users of ADFS using the ADFS authentication, So I have already done Authentication but I can not get all user's details in a single claim/rule.
Thanks & regards
Bhavdip Talaviya
You can use the following rules.
hi @Pierre Audonnet - MSFT when I created the above two claims then it will return all details but suppose if there are 2 users then it will return details something like below:
so it will give email and name duplicate and return duplicate records like 2*2=4 records.
Expected output something like below:
Please check the below SS what I get the output of below two claims:
Can you please give me the solution to the above issue?
Below is my custom claim rule :
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> add(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"), query = "(&(objectClass=user)(objectCategory=person));mail,sn;{0}", param = c.Value);
c1:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
&& c2:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"]
=> issue(Type = "claim:/custom/emailname", Value = "email=" + c1.Value + ", Sn= " + c2.Value);
Can you please give me an exact solution.
Thanks In advance.
So in this case anju email and surname Singh but other users' emails also show the same surname of the first record.
@Pierre Audonnet - MSFT when I am using the below query in custom claim it will return all uses so basically I need all users so I use the below query:
(&(objectClass=user)(objectCategory=person))
but in this case, we return the duplicate record do you have any ideas.
You cannot do that.
And I don't see the value. It is not the role of ADFS to provide that info to a relying party in an access token.
the point of the access token is for the app to determine if who the user is and if the user has access to the resources the app is protecting.
hi @Pierre Audonnet - MSFT I am not asking for the access token, when I am using your above two claims with some query filter ((&(objectClass=user)(objectCategory=person))) it will return duplicate so I should need to use that query filter for the return all users data.
So, Can you please help me with the below two claim and I dont want duplicate users details :
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> add(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"), query = "(&(objectClass=user)(objectCategory=person));mail,sn;{0}", param = c.Value);
c1:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
&& c2:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"]
=> issue(Type = "claim:/custom/emailname", Value = "email=" + c1.Value + ", Sn= " + c2.Value);
Thanks In advance
This Screenshot about what I return while using this above two claims:
I am not sure I understand the request.
You can create a rule to extract all the attributes you want. You need to know what attributes you want first and then you can send them as claims in the token.
Note please, share images directly on the post (you can just copy/paste them) as opposend at links this way.
hi I got the given name & Email from the below custom claim rule:
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"), query = "(&(objectClass=user)(objectCategory=person));mail,givenName;{0}", param = c.Value);
but in this case, I got all emails in this (http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress )claim like below
But I want both values like email= anon@USER , Givenname=abc
Can you please help me to get the user's details like above?
Please help me.
Thanks & regards.
Bhavdip talaviya
hi, @Pierre Audonnet - MSFT Can you please check below :
hi I got the given name & Email from the below custom claim rule:
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"), query = "(&(objectClass=user)(objectCategory=person));mail,givenName;{0}", param = c.Value);
but in this case, I got all emails in this (http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress )claim like below
But I want both values in single outgoing claim like email= anon@USER , Givenname=abc
Can you please help me to get the user's details like above?
Please help me.
Thanks & regards.
Bhavdip talaviya
hi @Pierre Audonnet - MSFT I am not asking for the access token,
But it is about access token. The only point of the issuance rules is to "issue" claims that go into the access token.
The query you are doing are returning things for all users. Why would an access token have the list of all users and and all email addresses?
@Pierre Audonnet - MSFT when I am using the below query in custom claim it will return all uses so basically I need all users so I use the below query: (&(objectClass=user)(objectCategory=person))
You should not query info about other accounts than the one you are authenticating unless that information is then used for authorization by the relying party trust. But why would an application want all users info to authorize 1 user? There is very likely a misconception somewhere.
In the first rule I suggested:
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> add(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"), query = ";mail,givenName;{0}", param = c.Value);
There is no LDAP filter. So we just get the attributes mail and givenName from the user. A bit like if you were doing a "base" LDAP search on the current user. For we can concatenate them like I suggested without worrying about multi-values.
For the sake of the exerice of thought, if you retrieve a multi-value attribute from the AD attribute store, you won't be able to map it 1:1 with another attribute. You are essentially creating two distinct arrays. If "array1" = value1, value2 and "array2" = valueA, valueB doing the concatenation of "array1" and "array2" into a new claim called "stringConcat" will effectivly create a multi-values claim with all possibilities.
"stringConcat" = value1valueA, value2valueA, value1valueB, value2valueB
In certain cases we can use "dynamic" claim types and make it work. But the AD attribute doesn't support those. With this one, you can only add/issue claims by specifying their claim type with a string (no dynamic values).
So, let's step back and restate... What do you need? and why (what does the application need to do with the data)?
hi, @Pierre Audonnet - MSFT I need all user's details of the active directory using ADFS using windows account login.
So, when I log in with my windows account and after login, I need all user's details of the active directory using the C# code.
Note: Now my windows account credentials have permission to read all users.
That's where the disconnect is.
ADFS role is to provide authentication to your app. Not data. The only data it can provide is the data in an access token to make authorization decisions.
If you need data for your user provisioning, you have to look at SCIM and that's not in ADFS but it is in Azure AD. You can also look at direct calls to AD but that make your app network dependent to a domain controllers which is kinda the issue we want to solve with federation in the first place.
Hi @Pierre Audonnet - MSFT where is the access token in this below response:
suppose I got an access token then After getting an access token how to get all user's details using that access token?
Hi @Pierre Audonnet - MSFT where is the access token in this below response:
suppose I got an access token then After getting an access token how to get all user's details using that access token?