ADFS - Claim Rule Examples

Sample ADFS claim rules that can be used to transform various identities to meet the needs of the application or identity provider.

These are specific to Microsoft’s ADFS

Adjust NameID to a 16 character user id limit

• This enables functionality with MS AD user account character limits (18 max)

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Value =~ "^(?<user>[^@]+)@(.+)$", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] == "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"]
 => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = regexreplace(c.Value, "^(?<user>[^@]{1,16}).*@(.+)$", "${user}@example.com"), ValueType = c.ValueType);

Transform an email

• Add this rule prior to converting UPN

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"]
 => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = "xyz" + c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "http://schemas.xmlsoap.org/claims/UPN");

Transform UPN

• This sample rules transforms in incoming UPN to meet a local identity account naming
  • This example prepends xzy. to the UPN
  • Handy for allowing multiple environments in the same identity domain without their origin accounts needing to be different.

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"]
 => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = "xzy." + c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "http://schemas.xmlsoap.org/claims/UPN");

Transform SAMAccountName

• Similar transformation of the UPN, but with the SAMAccountName
  • Would like used both roles

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = "dct." + c.Value + "@appdev.armedia.com", ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "http://schemas.xmlsoap.org/claims/UPN");