locked
Converting an ADFS v2 rule working on ADFS v1 as IdP and ADFS v2 as SP to ADFS v2 as IdP and SP as well RRS feed

  • Question

  • I need help converting an ADFS v2  rule please. We have the rule working on ADFS v1 as IdP and ADFS v2 as SP but I was not able to duplicate it for ADFS v2 as IdP and SP.

    We want to query the employeeNumber attribute: if its value does not start with the letter “S” or the value is null then issue its value “anonymous” otherwise if the value starts with “S” then pass the value as it is.

    The following rules are working on V2 SP and V1 IdP but they did not work on V2 IdP and SP:

    @RuleName = "1"
    c:[Type == "http://schemas.xmlsoap.org/claims/employeeNumber", Value =~ "^[^A](.+)$"]
     => add(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/UniID", Value = "ANONYMOUS");

    @RuleName = "2"
    NOT EXISTS([Type == "http://schemas.xmlsoap.org/claims/employeeNumber"])
     => add(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/UniID", Value = "ANONYMOUS");

    @RuleName = "3"
    c:[Type == "http://schemas.xmlsoap.org/claims/employeeNumber", Value =~ "^[A](.+)$"]
     => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/UniID", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType);

    @RuleName = "4"
    c1:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] == "http://schemas.xmlsoap.org/claims/UPN"]
     && c2:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/UniID"]
     => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c1.Issuer, OriginalIssuer = c1.OriginalIssuer, Value = c2.Value, ValueType = c1.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified");




    • Edited by EnyMay Saturday, July 7, 2012 12:32 PM
    Saturday, July 7, 2012 6:32 AM

Answers

  • I was able to convert it and here is the new rule:

    I hope this will help others.

    @RuleName = "extract"

    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]

    => add(store = "Active Directory", types = ("http://schemas.xmlsoap.org/claims/employeeNumber"), query = ";employeeNumber;{0}", param = c.Value);

     

    @RuleName = "Null"

    NOT EXISTS([Type == "http://schemas.xmlsoap.org/claims/employeeNumber"])

    => add(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/UniID", Value = "ANONYMOUS");

     

    @RuleName = "Different"

    c:[Type == "http://schemas.xmlsoap.org/claims/employeeNumber", Value =~ "^[^A](.+)$"]

    => add(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/UniID", Value = "ANONYMOUS");

     

    @RuleName = "UniID"

    c:[Type == "http://schemas.xmlsoap.org/claims/employeeNumber", Value =~ "^[S](.+)$"]

    => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/UniID", Value = c.Value);

     

    @RuleTemplate = "MapClaims"

    @RuleName = "NameId"

    c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/UniID"]

    => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified");


    • Marked as answer by EnyMay Saturday, July 7, 2012 7:20 PM
    • Edited by EnyMay Sunday, July 8, 2012 8:06 AM
    Saturday, July 7, 2012 7:20 PM