ADFS claim rules to filter group membership
During recent years I have seen an incredible up take on SAML based single-sign-on (SSO) technologies like Microsoft Active Directory Federation Services (ADFS). I have personally used to provide companies with SSO to SaaS like Yammer, Cisco Jabber and Webex,, Office 365, Citrix ShareFile to name a few.
Recently I received a request to provide access to a custom build SaaS application using our internal credentials, in this case we were the identiy provider IdP and the SaaS was… of course the service provider. The particularly about this application was that it expected us to send to it what groups the user belongs to. We didn’t want to send ALL of the groups but we wanted to only send the groups that were relevant to the application.
After setting up the SaaS as a Relying Party in the ADFS console, we were set to define the Claim rules for the information they required. We had to send three basic pieces of information, userID, Display name and the groups that the user belong to filter by a criteria.
To do this we needed to create two custom claim rules, the first one will retrieve all groups the user belongs to directly and indirectly; the second rule will filter the groups to only what we want to pass the service provider.
Let’s create the first rule. Click on Add Rule and choose “Send Claims Using a Custom Rule”. This would allow you to enter SAML code.
Enter a name for the rule and type or paste the code below. One important piece of this code is highlighted on the image below. We are using ADD instead of ISSUE, with this we achieve to pass the results of this rule to the next rule, instead of sending the results to the service provider.
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => add(store = "Active Directory", types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/role"), query = ";tokenGroups;{0}", param = c.Value);
For the second rule, you will ADD a new rule. ADFS SAML code can only process one command per rule, if you try to add more a warning will display. The highlighted part on the image below shows that we are looking for all groups that start with CAAM, and because there is an ISSUE command, the results of the rule will be sent to the service provider. Just replace CAAM with anything you need to create your own customization.
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/role", Value =~ "(?i)^CAAM.*"] => issue(claim = c);
Thank you for reading and happy filtering
MoliKop
Hello
I don’t think this filtering thing works. I tested on my lab and it doesn’t work. It still gives me all groups that user is in.
I just figured it out. You have misstake in your article. You should put word “ADD” instead of “ISSUE” in first claim rule:
c:[Type == “http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname”, Issuer == “AD AUTHORITY”]
=> add(store = “Active Directory”, types = (“http://schemas.microsoft.com/ws/2008/06/identity/claims/role”), query = “;tokenGroups;{0}”, param = c.Value);
You are welcome 😀
Hello Ondrej, you are correct… there is a typo on the code but if you look at the image it actually has the “add” instead of the “issue”. I have updated the code. Thank you very much
Pingback: Adding ADFS integration to Apache | Knowledge Base
Hi, can u pls provide me query to get all users of a group
Are you looking for a PS script to get all users from a group?
Dear All,
I would like to create a claim rule. There is 5 AD Group, and only from this group members could join the SSO.
BR,
Laszlo
Pingback: Setup ADFS for Amazon Web Services SAML Authentication - The IT Hollow