Reuse custom claim rule

Question

I have a custom rule in ADFS that issues a claim based on two standard AD attributes (users Title and Department).  I want to use this custom rule across many applications. How can manage the rule so if it needs to get updated I only have to edit it in one place? OR is there an easy way to create a new AD attribute based on the this rule so that the rule/claim is simply reading the new custom attribute?  I don't see anything online about custom rule reuse or creating custom AD attributes.

Appreciate the help.

Answer 1

At the moment there isn't any way to duplicate rules. The easiest way is to go into the rule and manually copy it's source.

---

Developer Security MVP | www.syfuhs.net

Answer 2

I went back to dig a little further.  Writing a custom rule for the claims provider, in my case Active Directory, allow you a way to issue claims from the custom rule across applications.  There seems to be a problem with qualifying the value for an incoming claim.  For example, if you add a custom rule to the Claims Provider Trust (Active Directory) that issues a claim to everyone, this works:

 => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/role", Value = "People");

if you add a check for an incoming claim type, this also seems to work fine but so far only with the "name" claim, this works:

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"]
 => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/role", Value = "ProjectAdmin");

But if I add a value check that is true, the issue claim does not show up, THIS FAILS:

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", Value == "Administrator@SP2010.local"]
 => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/role", Value = "ProjectAdmin");

Any clues why the (1) the value of the name claim fails?  And (2) why other claims that pass through fail on just checking the type?

If i could get the bottom custom rule to fire combining two claim values and issuing a role claim I would get full reuse out of the custom rule as it would issue the claim based on incoming values. 

Thoughts?

Thanks, Tim

Answer 3

Take a Free Trail at pluralsight. And take a look at my module about the ADFS Server (Claims Engines) and then the Claims Language module. It should save you a lot of time.

If you have more questions after that, feel free to ask.

---

Paul Lemmers

Answer 4

Ok, I figured out a way to make this work. 

First, watch the Type values, I had some claim values that did not have the right body so that was just operator error.

Once I got the names right I had to issue the AD attribute claims before I could build a custom rule from the values.  So, I added a custom rule that looked like this:

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
 => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/claims/group", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/title", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/department"), query = ";tokenGroups(domainQualifiedName), title, department;{0}", param = c.Value);

Then I was able to write this custom rule which populates a role value that can be used in any number of application.

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/department", Value == "DC Conversions"]
 && c2:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/title", Value == "Project Leader"]
 => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/role", Value = "CustomRoleTrue");

Hopefully this helps someone else out.

Tim