ADFS 3.0 Claim Rules Examples
This page contains ADFS 3.0 claim rule language examples for ServiceChannel SAML Single Sign-On.
Viewing and Managing Claim Rules
You can view the list of existing claim rules. as well as edit, delete, and create new rules.
- When finishing the Relying Party Trust setup, select Open the Edit Claim Rules dialog for this relying party trust when the wizard closes and click Close. The Edit Claim Rules window with a claim rule list appears.
.jpg?version=1&modificationDate=1547808170891&cacheVersion=1&api=v2&width=500&height=403)
---OR---
- Go to Server Manager and select Tools > AD FS Management.
- In the left pane, select Trust Relationships > Relying Party Trust.
- In the central pane, select your relying party trust.
- In the right pane, click Edit Claim Rules. The Edit Claim Rules window with a claim rule list appears.
.jpg?version=1&modificationDate=1547808182808&cacheVersion=1&api=v2&width=1000&height=398)
In the Edit Claim Rules window, you can add a new claim rule as well as edit or remove your rules..jpg?version=1&modificationDate=1547808196097&cacheVersion=1&api=v2&width=500&height=550)
- To create a new rule, click Add Rule.
- To update a rule, select it in the list and click Edit Rule. When editing a rule, you can change, add, or remove LDAP attributes and outgoing claim types.
.jpg?version=1&modificationDate=1547808208824&cacheVersion=1&api=v2&width=500&height=527)
- To view the claim in the claim rule language, click Edit Rule, and then click View Rule Language. You can copy your claim should you want to customize it.
.jpg?version=1&modificationDate=1547808221410&cacheVersion=1&api=v2&width=500&height=517)
- To delete a rule, select it in the list and click Remove Rule.
Passing Email Address as Name ID
Sending a user’s email address as Name ID in the SAML Assertion is one of the most popular approaches to configure Single Sign-On to ServiceChannel. You need to create one rule.
- In the Edit Claim Rules window, click Add Rule.
.jpg?version=1&modificationDate=1547808234975&cacheVersion=1&api=v2&width=500&height=548)
- Select Send LDAP Attributes as Claims from the Claim rule template drop-down list, and then click Next.
.jpg?version=1&modificationDate=1547808249494&cacheVersion=1&api=v2&width=500&height=405)
- Enter the claim rule name.
- Select Active Directory from the Attribute store drop-down list.
- Select E-Mail-Addresses from the LDAP Attribute drop-down list.
- Select Name ID from the Outgoing Claim Type list, and then click Finish.
.jpg?version=1&modificationDate=1547808263726&cacheVersion=1&api=v2&width=500&height=404)
You have successfully configured authorization-only SAML SSO on the AD FS side. Now users can sign in to ServiceChannel.
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"), query = ";mail;{0}", param = c.Value);
Some important fields, for example, Issuer, Audience, and X509Certificate are auto-populated in the SAML Assertion, so you do not need to configure any claim rules for these service fields.
Passing Email Local Part as Name ID
An email local part is the part of an email address before the @ symbol. To pass that part as Name ID, you need to create two rules.
Rule 1
The first rule gets an email address from the Active Directory and passes it as Email in the SAML Assertion.
- Repeat steps 1–5 from the previous instruction.
- Select E-Mail Address from the Outgoing Claim Type drop-down list, and then click Finish.
.jpg?version=1&modificationDate=1547808278411&cacheVersion=1&api=v2&width=500&height=530)
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"), query = ";mail;{0}", param = c.Value);
Rule 2
The second rule takes the email address value from the first rule, extracts the email local part using regexreplace, and issues a claim of the Name ID type in the SAML Assertion. For example, SCUser@mycompany.com is transformed into SCUser: <NameID>SCUser</NameID>.
Email address: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
Name ID: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
- In the Edit Claim Rules window, click Add Rule.
- Select Send Claims Using a Custom Rule from the Claim rule template drop-down list, and then click Next.
.jpg?version=1&modificationDate=1547808294225&cacheVersion=1&api=v2&width=500&height=402)
- Enter the claim rule name.
Insert the following claim rule language code:
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = regexreplace(c.Value, "@+.+", ""));
.jpg?version=1&modificationDate=1547808308642&cacheVersion=1&api=v2&width=500&height=533)
- Click OK, and then click Finish.
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = regexreplace(c.Value, "@+.+", ""));
Passing Office as Location
You can also send an office name as Location. You need to add only one rule.
- Repeat steps 1–4 from the Pass Email Address as Name ID instruction.
- Select physicalDeliveryOfficeName from the LDAP Attribute drop-down list.
- Select Location from the Outgoing Claim Type list, and then click Finish.
.jpg?version=2&modificationDate=1547808477468&cacheVersion=1&api=v2&width=500&height=533)
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("Location"), query = ";physicalDeliveryOfficeName;{0}", param = c.Value);
Passing Custom Attribute NTELimit as NTELimit
Adding a custom attribute to the Active Directory is out of the scope of this article, but you can find plenty of resources covering this topic. For example, check this TechNet article.
To pass a custom Active Directory attribute NTELimit as NTELimit, you need to create one rule. In case a required LDAP attribute or outgoing claim type is not listed in the drop-down list, type the necessary value.
.jpg?version=1&modificationDate=1547808499149&cacheVersion=1&api=v2&width=500&height=531)
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("NTELimit"), query = "; NTELimit;{0}", param = c.Value);
Passing Group Name as Role
You can send a group name that starts with certain symbols as Role. To do that, create two rules.
In the example below, we will find a group name beginning with the sc- prefix, omit that prefix, and send the result as Role.
Rule 1
The first rule gets the group membership and adds it to the Roletemp type. For example, the following string is formed:CN=group1,CN=users,CN=sc-test role,CN=group2,DC=domain,DC=com.
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> add(store = "Active Directory", types = ("Roletemp"), query = ";memberOf;{0}", param = c.Value);
Rule 2
The second rule checks if there is a required value in Roletemp, selects only the substring between that value and next comma, and sends this substring as Role in the SAML Assertion. In our example, the selected substring is test role.
c:[Type == "Roletemp", Value =~ "(?i)sc-"] => issue(Type = "Role", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = regexreplace(c.Value, ".*CN=sc-([^,]*).*", "$1"), ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified");
Should you need to keep the sc- prefix in the Role value, just change (c.Value, ".*CN=sc-([^,]*).*", "$1") to (c.Value, ".*CN=(sc-[^,]*).*", "$1")
Passing Default Value as Role
You can pass any default value as Role if the corresponding Active Directory attribute is not set. You need to create two rules.
Rule 1
The first rule gets an email address and sends it as Name ID as well as gets employeeType and sends it as Role.
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", "Role"), query = ";mail,employeeType;{0}", param = c.Value);
Rule 2
The second rule checks if the type Role exists and, if not, sends a default value (for example, "Standard") as the Role value. In our example, employeeType is not set in Active Directory.
NOT EXISTS([Type == "Role"])=> issue(Type = "Role", Value = "Standard");
Add this rule as a third rule to the previous example if you want to have a default role when a user is not a member of any sc- group.
See Understanding Claim Rule Language in AD FS 2.0 & Higher for more information.