Configuring ADFS to pass SID as claim

Question

I have a system where we are using ADFS as identity provider to provide single sign on with WIF-based .NET appliacation. All works good and we are able to pass all claims as we need, for example here is the rule to pass the last name:

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", 
Issuer == "AD AUTHORITY"]  
=> issue(store = "Active Directory", 
types = ("http://example.com/identity/claims/portal/lastname"), 
query = ";sn;{0}", param = c.Value);

However now, I need to add two rules that I have trouble with, first one is to pass SID and the other one is to pass SAM account name (domain\user). They do not exist in the predefined list in the ADFS claim configuration wizard, and I was trying to write custom rules for those but I cannot get those to work.

Could you point me to reference how could I extract those properties if it is indeed possible?

I apologize If I messed up some nomenclature, I usually work on code-side of things foraying into AD only if I have no other choice :) All corrections are welcome.

score 3 · Accepted Answer · answered Mar 25 '15 at 16:04

Pass the objectguid instead of SID to get a truly immutable ID for an AD object.

Something similar to:

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
  => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"), query = ";objectGUID;{0}", param = c.Value);

score 2 · Answer 2 · answered Mar 24 '15 at 20:00

2

OK, I managed to figure it out, after finding this page. I was basically using incorrect attribute names, in my case I should have been using objectSid and sAMAccountName. To my surprise the latter does not come with domain part either. So in case it helps anybody else, here is sample rule passing SID as a claim:

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", 
Issuer == "AD AUTHORITY"]  
=> issue(store = "Active Directory", 
types = ("http://example.com/identity/claims/portal/lastname"), 
query = ";objectSid;{0}", param = c.Value);

answered Mar 24 '15 at 20:00

Sebastian K

175
1
7

why would you need to pass the sid since the user is already authenticated at this point? – Jim B Mar 24 '15 at 20:54
The reason is that I need immutable unique user identifier that related party application can use - Initially I was thinking of using user logon name, but as I understand that can change, – Sebastian K Mar 24 '15 at 21:10
What you really want then is objectguid, not the SID, not only can sid change but it can be multiple values. – Jim B Mar 24 '15 at 23:57
Ah, interesting - did not know that. Could you make it an answer, then I can accept it. I agree it seems much better suited for this purpose. I will try to see if it would work in a rule. – Sebastian K Mar 25 '15 at 00:13
1

But beware - http://nzpcmad.blogspot.co.nz/2013/01/adfs-objectguid-as-claim.html – rbrayb Mar 25 '15 at 01:42
Oh, I see it is Base64 encoded - that should not be an issue – Sebastian K Mar 25 '15 at 13:29

Configuring ADFS to pass SID as claim

2 Answers2