ADFS 3.0 Claim Rules Examples

This page contains ADFS 3.0 claim rule language examples for ServiceChannel SAML Single Sign-On.

Viewing and Managing Claim Rules

You can view the list of existing claim rules. as well as edit, delete, and create new rules.

⦿ How to view claim rules
  1. When finishing the Relying Party Trust setup, select Open the Edit Claim Rules dialog for this relying party trust when the wizard closes and click Close. The Edit Claim Rules window with a claim rule list appears.

---OR---

  1. Go to Server Manager and select Tools > AD FS Management.
  2. In the left pane, select Trust Relationships > Relying Party Trust.
  3. In the central pane, select your relying party trust.
  4. In the right pane, click Edit Claim Rules. The Edit Claim Rules window with a claim rule list appears.


⦿ How to manage claim rules

In the Edit Claim Rules window, you can add a new claim rule as well as edit or remove your rules.

  • To create a new rule, click Add Rule.
  • To update a rule, select it in the list and click Edit Rule. When editing a rule, you can change, add, or remove LDAP attributes and outgoing claim types.
  • To view the claim in the claim rule language, click Edit Rule, and then click View Rule Language. You can copy your claim should you want to customize it.
  • To delete a rule, select it in the list and click Remove Rule.

Passing Email Address as Name ID

Sending a user’s email address as Name ID in the SAML Assertion is one of the most popular approaches to configure Single Sign-On to ServiceChannel. You need to create one rule.

⦿ How to pass email as name ID
  1. In the Edit Claim Rules window, click Add Rule.
  2. Select Send LDAP Attributes as Claims from the Claim rule template drop-down list, and then click Next.
  3. Enter the claim rule name.
  4. Select Active Directory from the Attribute store drop-down list.
  5. Select E-Mail-Addresses from the LDAP Attribute drop-down list.
  6. Select Name ID from the Outgoing Claim Type list, and then click Finish.

You have successfully configured authorization-only SAML SSO on the AD FS side. Now users can sign in to ServiceChannel.

Claim rule language code
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"), query = ";mail;{0}", param = c.Value);

Some important fields, for example, Issuer, Audience, and X509Certificate are auto-populated in the SAML Assertion, so you do not need to configure any claim rules for these service fields.

Passing Email Local Part as Name ID

An email local part is the part of an email address before the @ symbol. To pass that part as Name ID, you need to create two rules.

Rule 1

The first rule gets an email address from the Active Directory and passes it as Email in the SAML Assertion.

⦿ How to create rule 1
  1. Repeat steps 1–5 from the previous instruction.
  2. Select E-Mail Address from the Outgoing Claim Type drop-down list, and then click Finish.
Claim rule language code
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"), query = ";mail;{0}", param = c.Value);

Rule 2

The second rule takes the email address value from the first rule, extracts the email local part using regexreplace, and issues a claim of the Name ID type in the SAML Assertion. For example, SCUser@mycompany.com is transformed into SCUser: <NameID>SCUser</NameID>.

Email address: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
Name ID: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier

⦿ How to create rule 2
  1. In the Edit Claim Rules window, click Add Rule.
  2. Select Send Claims Using a Custom Rule from the Claim rule template drop-down list, and then click Next.
  3. Enter the claim rule name.
  4. Insert the following claim rule language code:

    c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
    => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = regexreplace(c.Value, "@+.+", ""));

  5. Click OK, and then click Finish.
Claim rule language code
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = regexreplace(c.Value, "@+.+", ""));

Passing Office as Location

You can also send an office name as Location. You need to add only one rule.

⦿ How to pass office as location
  1. Repeat steps 1–4 from the Pass Email Address as Name ID instruction.
  2. Select physicalDeliveryOfficeName from the LDAP Attribute drop-down list.
  3. Select Location from the Outgoing Claim Type list, and then click Finish.
Claim rule language code
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("Location"), query = ";physicalDeliveryOfficeName;{0}", param = c.Value);

Passing Custom Attribute NTELimit as NTELimit

Adding a custom attribute to the Active Directory is out of the scope of this article, but you can find plenty of resources covering this topic. For example, check this TechNet article.

To pass a custom Active Directory attribute NTELimit as NTELimit, you need to create one rule. In case a required LDAP attribute or outgoing claim type is not listed in the drop-down list, type the necessary value.

Claim rule language code
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("NTELimit"), query = "; NTELimit;{0}", param = c.Value);

Passing Group Name as Role

You can send a group name that starts with certain symbols as Role. To do that, create two rules.

In the example below, we will find a group name beginning with the sc- prefix, omit that prefix, and send the result as Role.

Rule 1

The first rule gets the group membership and adds it to the Roletemp type. For example, the following string is formed:
CN=group1,CN=users,CN=sc-test role,CN=group2,DC=domain,DC=com.

Claim rule language code
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> add(store = "Active Directory", types = ("Roletemp"), query = ";memberOf;{0}", param = c.Value);

Rule 2

The second rule checks if there is a required value in Roletemp, selects only the substring between that value and next comma, and sends this substring as Role in the SAML Assertion. In our example, the selected substring is test role.

Claim rule language code
c:[Type == "Roletemp", Value =~ "(?i)sc-"]
=> issue(Type = "Role", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = regexreplace(c.Value, ".*CN=sc-([^,]*).*", "$1"), ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified");

Should you need to keep the sc- prefix in the Role value, just change (c.Value, ".*CN=sc-([^,]*).*", "$1") to (c.Value, ".*CN=(sc-[^,]*).*", "$1")

Passing Default Value as Role

You can pass any default value as Role if the corresponding Active Directory attribute is not set. You need to create two rules.

Rule 1

The first rule gets an email address and sends it as Name ID as well as gets employeeType and sends it as Role.

Claim rule language code
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", "Role"), query = ";mail,employeeType;{0}", param = c.Value);

Rule 2

The second rule checks if the type Role exists and, if not, sends a default value (for example, "Standard") as the Role value. In our example, employeeType is not set in Active Directory.

NOT EXISTS([Type == "Role"])
=> issue(Type = "Role", Value = "Standard");

Add this rule as a third rule to the previous example if you want to have a default role when a user is not a member of any sc- group.

See Understanding Claim Rule Language in AD FS 2.0 & Higher for more information.