ADFS 2.0 Custom claim rule

  • 88 Views
  • Last Post 18 August 2016
nidhin_ck posted this 17 August 2016

Hi Experts,
Is it possible to check conditions and decide which claim needs to send
For eg:- we need to send EmployeeNumber attribute as a claim but some users does not have employeenumber. In that case we need to send SID of the user object as a claim. Is this possible? If yes, could you pls provide the syntax

Regards,
Nidhin CK

nidhin_ck posted this 18 August 2016

I got answer from MS forum.. Im sharing the same here. 
We need to create multiple rules to implement this solution
Rule 1: get the employeeNumber from AD an store it in the claim type of your choice (here: http://yournamespace/employeeNumber)
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("http://yournamespace/employeeNumber"), query = ";employeeNumber;{0}", param = c.Value); Rule 2: Check if we got a value, if not then we create a new claim that we add to the pipeline that states that we don't have a value (I use the custom claim employeeIDcheck this time).
NOT EXISTS([Type == "http://yournamespace/employeeNumber"])  =>add( Type = "http://yournamespace/employeeIDcheck", Value = "FAILED" ) ; Rule 3: If the employeeIDcheck is set with the value 'FAILED' and that we have the SID of the user in the pipeline (we have it by default since it is in the acceptance rules of claim provider trust for AD, then we issue the SID as an employeeNumber:
c1:[Type == "http://yournamespace/employeeIDcheck", Value == "FAILED" ] && c2:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid" ] => issue( Type = "http://yournamespace/employeeNumber", Value = c2.Value );
Regards,
Nidhin CK

show

Close