ADFS claim rules to filter group membership

ShareIT

ADFS claim rules to filter group membership

During recent years I have seen an incredible up take on SAML based single-sign-on (SSO) technologies like Microsoft Active Directory Federation Services (ADFS). I have personally used to provide companies with SSO to SaaS like Yammer, Cisco Jabber and Webex,, Office 365, Citrix ShareFile to name a few.

Recently I received a request to provide access to a custom build SaaS application using our internal credentials, in this case we were the identiy provider IdP and the SaaS was… of course the service provider. The particularly about this application was that it expected us to send to it what groups the user belongs to. We didn’t want to send ALL of the groups but we wanted to only send the groups that were relevant to the application.

After setting up the SaaS as a Relying Party in the ADFS console, we were set to define the Claim rules for the information they required. We had to send three basic pieces of information, userID, Display name and the groups that the user belong to filter by a criteria.

To do this we needed to create two custom claim rules, the first one will retrieve all groups the user belongs to directly and indirectly; the second rule will filter the groups to only what we want to pass the service provider.

ADFS Mgmt Console

Let’s create the first rule. Click on Add Rule and choose “Send Claims Using a Custom Rule”. This would allow you to enter SAML code. 

ADFS custom claim rule

Enter a name for the rule and type or paste the code below. One important piece of this code is highlighted on the image below. We are using ADD instead of ISSUE, with this we achieve to pass the results of this rule to the next rule, instead of sending the results to the service provider.

ADFS Retrieve Groups

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
 => add(store = "Active Directory", types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/role"), query = ";tokenGroups;{0}", param = c.Value);

For the second rule, you will ADD a new rule. ADFS SAML code can only process one command per rule, if you try to add more a warning will display. The highlighted part on the image below shows that we are looking for all groups that start with CAAM, and because there is an ISSUE command, the results of the rule will be sent to the service provider. Just replace CAAM with anything you need to create your own customization.

ADFS claim rules to filter group membership
ADFS claim rules to filter group membership
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/role", Value =~ "(?i)^CAAM.*"]
 => issue(claim = c);

Thank you for reading and happy filtering

MoliKop

8 Replies to “ADFS claim rules to filter group membership”

  1. I just figured it out. You have misstake in your article. You should put word “ADD” instead of “ISSUE” in first claim rule:

    c:[Type == “http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname”, Issuer == “AD AUTHORITY”]
    => add(store = “Active Directory”, types = (“http://schemas.microsoft.com/ws/2008/06/identity/claims/role”), query = “;tokenGroups;{0}”, param = c.Value);

    You are welcome 😀

    • Hello Ondrej, you are correct… there is a typo on the code but if you look at the image it actually has the “add” instead of the “issue”. I have updated the code. Thank you very much

  2. Pingback: Adding ADFS integration to Apache | Knowledge Base

  3. Dear All,
    I would like to create a claim rule. There is 5 AD Group, and only from this group members could join the SSO.

    BR,
    Laszlo

  4. Pingback: Setup ADFS for Amazon Web Services SAML Authentication - The IT Hollow

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>