0

I previously asked a similar question about doing this in Azure AD. However, I've come to the conclusion that it is probably too limited to do this and I received no answers.

However, in ADFS there is a lot more flexibility.

I want to convert an active directory user's group membership to a single : delimited/enclosed string. So, if the AD user is a member of Group1 and Group2, then a claim will be issued with a string value of :Group1:Group2:. Or, preferably, it would use the SID of the group which is immutable.

I don't think there is any built in way to do this based on my research, but maybe someone is more familiar with the claims rule language that can provide a method? Otherwise, it looks like I might be able to create a custom attribute store which can pretty much utilize any .NET code I want to process claims, as described here.

Before I go down the road of creating my own custom attribute store, is anyone aware of a way to do what I am trying to do either using built-in ADFS functionality, or by utilizing a publicly provided custom attribute store similar to this one here?

I am running ADFS 4.0.

Appleoddity
  • 3,488
  • 2
  • 13
  • 33

2 Answers2

0

The best would be to go down the custom attribute store.

Claims rules don't really work for an indeterminate number of claims.

rbrayb
  • 1,108
  • 1
  • 12
  • 20
0

With ADFS this can be done using claim issuance policies

There is an example here: https://aws.amazon.com/blogs/big-data/federate-access-to-amazon-redshift-query-editor-v2-with-active-directory-federation-services-ad-fs-part-3/

  1. create the rule Marketing, using the following code for the custom rule:

    c:[Type == "http://temp/variable", Value =~ "(?i)^RSDB-marketing"] => add(Type = "http://temp/marketing", Value = RegExReplace(c.Value, "RSDB-", ""));

  2. Create the rule MarketingNotExists using the following code:

    NOT EXISTS([Type == "http://temp/variable", Value =~ "RSDB-marketing"]) => add(Type = "http://temp/marketing", Value = "");

  3. Create the rule sales using the following code:

    c:[Type == "http://temp/variable", Value =~ "(?i)^RSDB-sales"] => add(Type = "http://temp/sales", Value = RegExReplace(c.Value, "RSDB-", ""));

  4. Create the rule SalesNotExists using the following code:

    NOT EXISTS([Type == "http://temp/variable", Value =~ "RSDB-sales"]) => add(Type = "http://temp/sales", Value = "");

  5. Create the rule RedshiftDbGroups using the following code: c:[Type == "http://temp/marketing"] && c2:[Type == "http://temp/sales"] => issue(Type = "https://aws.amazon.com/SAML/Attributes/PrincipalTag:RedshiftDbGroups", Value = c.Value + ":" + c2.Value);

  6. This will create a claim that looks like this:

    < Attribute Name="https://redshift.amazon.com/SAML/Attributes/PrincipalTag:RedshiftDbGroups" > < AttributeValue > marketing:sales< /AttributeValue>

Zak Miller
  • 1