How to send comma separated AD attribute value as separate ADFS role claims?

Question

Our business roles from ERP are populated into extensionAttribute5 AD attribute. The value of this attribute may look like:

• SAXTechs
• PrimaTechs
• SAXTechs,PrimaTechs

How can we send these values as separate role claims using ADFS 4 custom claim rule language?

Answer 1

First we need to extract the extensionAttribute5 from AD and put it in the claim pipeline. So the first rule will be:

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]  
 => add(store ="Active Directory", types = ("temp://claim/businessroles"), query = ";extenstionAttribute5;{0}", param = c.Value);  
  

Then, let say the names of the different business units are: Business1, Business2 ... Business8. You would have 8 rules, it would look like the following:

c:[Type == "temp://claim/businessroles" , Value =~ "Business1"]  
 => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/role", Value = "Business1" );  
  
c:[Type == "temp://claim/businessroles" , Value =~ "Business2"]  
 => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/role", Value = "Business2" );  
  
...  
  
c:[Type == "temp://claim/businessroles" , Value =~ "Business8"]  
 => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/role", Value = "Business8" );  
  

The two caveats wit this method are:

1. You need to update the rules (or add/remove a rules) if the list of business units are changing.
2. You cannot have ambiguous names for the business units. For example if a business unit is called Business11, it would match the rule for Business1. If you do have such naming issues, tell us and we could go for a fancier regular expression (to look for a comma or an end of string instead of just the value).