Search code examples
samladfsclaims

ADFS Custom Claim Rule email To LowerCase SAML Response

I am trying to create a custom claim rule in adfs to re-write the email address to NameId but in lowercase.

The reason is Responsys reads the claims and is case sensitive when comparing the NameId in the SAML Response it fails. Our Active Directory has email address as mixed case for some users and lowercase for others. e.g. LJeary@ or ljeary@

I have added a custom attribute store to do the lowercase part but I am not seeing the Claim in the SAMLResponse.

as per http://macintheoffice.com/?q=node/5

I need help to create a custom claim rule which will successfully send the email address as lowercase in the outgoing claim NameID

Should see this 

   <Subject>
        <NameID>ljeary@abc.com</NameID>
        <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <SubjectConfirmationData NotOnOrAfter="2017-05-10T03:24:20.358Z" Recipient="https://interact2.responsys.net/authentication/login/loginSSO" />
        </SubjectConfirmation>
    </Subject>

but see this

    <Subject>
        <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <SubjectConfirmationData NotOnOrAfter="2017-05-10T03:24:20.358Z" Recipient="https://interact2.responsys.net/authentication/login/loginSSO" />
        </SubjectConfirmation>
    </Subject>

missing the NameID attribute.

Custom Claim Rule used is

    c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
 => issue(store = "StringProcessing", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"), query = "toLower", param = c.Value);

answer: Thanks @nzpcmad . Came up with a similar process by returning the email address and storing in an incoming claim. Then creating another rule to take the email incoming claim transform to lower and assign to outgoing claim NameID.

ADFS Claim Rules

Solution

  • Are you sure that something is being returned from the custom attribute store?

    The error could be because of a missing NameID format.

    Try returning a dummy claim e.g. http://company/temp which contains the lower case email and then use a Transform rule to transform the dummy claim to NameID.

    You could also code this yourself.

    Or if you like typing :-)