Writing Claims Rule -- NameID = email

Question

Hi,

I am trying to create claims rule in ADFS.  I was wondering do I need a transformation rule to map NameID to email ?

Currently, this is what it sent as claims ticket

<Subject>

            <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">

                <SubjectConfirmationData

                    NotOnOrAfter="2014-10-13T13:42:25.666Z" Recipient="https://sasga-stage.selectica.com/login.jsp"/>

            </SubjectConfirmation>

        </Subject>

 

This is what the Relying party expects:

Expected

 

        <Subject>

             <NameID>username@domain.com</NameID>

            <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">

                <SubjectConfirmationData

                    NotOnOrAfter="2014-10-13T13:42:25.666Z" Recipient="https://sasga-stage.selectica.com/login.jsp"/>

            </SubjectConfirmation>

        </Subject>

 

 Thanks for your Help!

Answer 1

Set up a normal LDAP claim mapping email address to email address claim type.

Then a transform rule mapping incoming email to outgoing NameID.

Select the outgoing Name ID format - in your case would be email? - check with your provider.

Answer 2

http://support.ideascale.com/customer/portal/articles/1002598-saml-sso-with-active-directory-and-adfs-2-0

Upper 2 screenshots describe what nzpcmad1 proposes.

Answer 3

I did the transformation as suggested:  Here is the transformation rule:

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
 => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType,
Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"]
= "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");

But for some reason the trace keep coming back as

<Subject>

            <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">

                <SubjectConfirmationData

                    NotOnOrAfter="2014-10-14T14:38:14.736Z" Recipient="https://sasga-stage.selectica.com/login.jsp"/>

            </SubjectConfirmation>

Any suggestion ?

Thanks,

Answer 4

1. Did you create the email LDAP mapping as nzpcmad1 proposed and 2 does the user you used for testing has a filled mail attribute in AD?

Answer 5

Yes I did,

and the email field is fill in AD.

So there are two claims rules

1.  Map "emailaddress" from AD to outgoing "emailaddress"

2.  Transform incoming claims "emailaddress" to NameID as suggested.

Answer 6

Thats weird since how cznpcmad1 proposes and the link describes works in 101% of the times I configured it. Configured both on the RP configuration? Is the authentication source the AD claims provider or are you using a 3th party claims provider in this case?

Could you post the LDAP mapping rule in the format as you did with the NameID rule?

Answer 7

Here is the LDAP mapping rule using Active Directory.  I am using 3rd party. 

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
 => issue(store = "Active Directory", types = ("emailaddress"), query = ";mail;{0}", param = c.Value);

I did changed the types = ("emailaddress") because the RP expects that:

Attribute parameter name  containing user ID should be a non URL string 

The original URL string: ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress")

Thanks,

Answer 8

Sorry, I meant I am not using 3rd party.  I am using AD.

Answer 9

This won't work.

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
 => issue(store = "Active Directory", types = ("emailaddress"), query = ";mail;{0}", param = c.Value);

So you are issuing a claim called "emailaddress" but the transform rule:

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
 => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType,
Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"]
= "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");

takes an input of type http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress which now doesn't exist.

What is issued to the other side is not an email address. It's a:

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier

whose value is an email address and whose format is emailAddress.

What is the exact format of the claim that you are required to send?

Answer 10

You can't change random stuff in the claim rules and expect that samples or answers given keep working.

If you want to work it that way you should modify your transform rule to:

c:[Type == "emailaddress"]
 => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", 
Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, 
Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] 
= "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");

Which makes no sense however for the argument Attribute parameter name containing user ID should be a non URL string, because you would still issue a http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier towards your application.

Answer 11

Hi All,

Here is the scenario--

The Relying Party (RP) Expects the following items in claim ticket: 

Attribute parameter name  containing user ID should be a non URL string 

 

            <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">

                <AttributeValue>user@domain.com</AttributeValue>

Therefore, the attributes name had to be replaced with "emailaddress" it should appears as bellow:

<Attribute Name="emailaddress">

                <AttributeValue>user@domain.com</AttributeValue>

The second requirement is that the subject should have nameID as identifier:

Current:    

 

    <Subject>

            <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">

                <SubjectConfirmationData

                    NotOnOrAfter="2014-10-13T13:42:25.666Z" Recipient="https://sasga-stage.selectica.com/login.jsp"/>

            </SubjectConfirmation>

        </Subject>

 

Expected 

 

        <Subject>

             <NameID>user@domain.com</NameID> 

            <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">

                <SubjectConfirmationData

                    NotOnOrAfter="2014-10-13T13:42:25.666Z" Recipient="https://sasga-stage.selectica.com/login.jsp"/>

            </SubjectConfirmation>

        </Subject>

 

Thanks for the information so far, it is really helpful.  I really appreciate the help.