0

My client's claims issuance rules for a relying trust don't include this claim, but it ends up in the outgoing claims and crashes Okta: http://schemas.microsoft.com/2012/01/devicecontext/claims/isregistereduser

They have this as a Custom Rule on the Relying Trust for my app:

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("userName", "firstName", "lastName", "email", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"), query = ";userPrincipalName,givenName,sn,mail,userPrincipalName;{0}", param = c.Value);

During an IdP-initiated SAML login, AD FS is sending http://schemas.microsoft.com/2012/01/devicecontext/claims/isregistereduser as well. It appears to be related to device registration, Device Context, and AD FS MFA.

The customer uses these claims for other Relying Trusts, so I can't remove them entirely.

Is there a way to disable passing through these claims on a specific Relying Trust?

How can I remove or delete a specific outgoing claim?

Alain O'Dea
  • 645
  • 3
  • 12
  • 27

1 Answers1

1

You don't control the ADFS you're talking about, do you? It's a third party's one (being the third party the client which you're developing an app for), isn't it?

ADFS lets you (resp. the admin) define several Relying Party Trusts (RPT). You can then define individual Issuance Transform Rules for each RPT. So if there's a distinct RPT defined for your app, then stopping the unwanted claim from being issued should be as simple as removing that claim from the Issuance Transform Rules of the RPT defined for your app.

You mentioned that this claim is relevant for other relying parties. As long as there are other RPTs defined for those RPs (and the claim stays included in their Issuance Transform Rules), everything should be fine.

Do you have access to the complete Issuance Transform Rules for your app? Could you post it here (without disclosing confidential information)? Maybe this could help clarifying your case.

khlr
  • 123
  • 3
  • This isn’t the right answer, but it’s thoughtful and useful. – Alain O'Dea Feb 25 '18 at 17:03
  • I don’t control the AD FS. The Issuance Transform Rules don’t include the attributes in question. They appear to be implicit. – Alain O'Dea Feb 25 '18 at 17:03
  • Claim rule language on the Relying Party: `c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("userName", "firstName", "lastName", "email", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"), query = ";mail,givenName,sn,mail,mail;{0}", param = c.Value);` – Alain O'Dea Feb 25 '18 at 17:06
  • To clarify, while I don’t control the AD FS, my customer has been gladly changing the Issuance Transform Rules in various ways at my recommendation to attempt to fix this. – Alain O'Dea Feb 25 '18 at 17:13
  • 1
    So the Issuance Transform Rules just consist of that single rule? – khlr Feb 25 '18 at 17:54
  • Yes, that’s correct. At least for that specific Relying Trust. It appears to inherit rules for Device Registration from somewhere, but I can’t find where. – Alain O'Dea Feb 26 '18 at 21:30