question

JeffTerrance-0508 avatar image
0 Votes"
JeffTerrance-0508 asked JeffTerrance-0508 commented

ADFS 3.0: Custom Outgoing Claim Type?

Hi all,

So our ADFS guy left a while ago leaving me to hold the fort with zero previous ADFS experience. Mostly ok, however very basic setups or Vendors who know exactly what they need to integrate. I currently have a vendor who is insisting I return the user group membership as an array called "Groups". I told them I could do this using role or group as published in our metadata, however they are insisting it be called "Groups".

I thought I might be able to do this by doing a transform of incoming claim type to outgoing claim type, I'm just ending up with errors though. I'm completely unfamiliar with doing anything like this, is it even possible using ADFS 3.0 On-Prem infrastructure? Would be very grateful if someone could lend assistance as the vendor neither has documentation or a willingness to help.

Might help if I add what I've tried so far to get a custom attribute name to work. Found a similar issue elsewhere on the web whose solution was to create two seperate rules like this;

1st Rule gets the users group membership and assigns it to a temporary store

 c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
  => add(store = "Active Directory", types = ("memberOf"), query = ";memberOf;{0}", param = c.Value);


2nd rule issues these results to the custom attribute name.

 c:[Type == "memberOf"]
  => issue(Type = "Groups", Value = c.Value);

I put each of these in their own custom rule in the order listed above which generates and error for me.

adfs
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

piaudonn avatar image
0 Votes"
piaudonn answered JeffTerrance-0508 commented

You can call your claim as you wish.

SAML2 is fine with whatever format. When the application is using WS-Federation, the claim has to be in a URI format (like for example: namespace:item/stuff). They do not need to exist in your metadata not even in your list of claim definition.

Note that memberof just gives you the direct memebership (no nested groups). And the format is a distinguishedName (like CN=group,OU=Apps,DC=contoso,DC=com). You might consider checking the building rules: Create a Rule to Send Group Membership as a Claim.


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks piaudonn, I had never realised SAML2 was fine with whatever format, I've only ever really used the GUI to create the rules. Creating custom rules like above is entirely new for me.

I have read over the documentation you linked, from what I can see that method is only useful for returing an attribute name/value pair. This vendor requires all groups to be returned as an array under an attribute called Groups.

Direct memberships in this example will be fine as that is how application access is granted, however forgot to mention that this array of group names will need to be filtered to just the application groups relating to the application (group name prefix of APP.TRAVEL, though wondering if this is correct if memberOf is returning full DN). For this I have added a new rule in between the two rules in my first post.

 c:[Type == "memberOf", Value =~ "^(?i)APP\.TRAVEL\."]
  => issue(claim = c)
0 Votes 0 ·