Search code examples
adfsclaims

Custom claim rules

i'm new to ADFS claim rules and struggling with a custom rule.

What i want to do is filter groups based on group names, and then return the matched groups as SIDs. I also want to return UPN, Email, Surname, GivenName and WindowsAccountName along with these, but the filtered groups are most important.

I've tried this with no success:

c:[Type == "http://schemas.xmlsoap.org/claims/Group", Value =~ "(?i).+(Test|Test2).+"]
=> issue(Type = "https://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid");

Can anyone help me creating this rule or point me in the right direction? I would also appreciate an explanation of the rule if you bother.

Solution

  • This gives the user params i want, filters groups based on names, and returns groups as both unqualified names and SIDs

    Get groups:

    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
 => add(store = "Active Directory", types = ("http://schemas.xmlsoap.org/claims/Group"), query = ";tokenGroups;{0}", param = c.Value);

    Filter and issue groups:

    c1:[Type == "http://schemas.xmlsoap.org/claims/Group", Value =~ "INSERT-REGEX-HERE"]
 && c2:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
 => issue(store = "Active Directory", types = ("https://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", "http://schemas.xmlsoap.org/claims/Group"), query = "(&(name={0}));objectSid,name;{1}", param = c1.Value, param = c2.Value);

    Issue user params:

    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
 => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn", "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"), query = ";givenName,sn,mail,userPrincipalName,sAMAccountName;{0}", param = c.Value);