Why can't I transform this claim with AD FS?

Question

I have an IP-STS which is issuing a claim that contains an ampersand. Using AD FS on a claims provider trust, I can't seem to transform it. If I remove the ampersand from the claim, it transforms correctly.

What is the correct syntax to transform the claim?

Incoming claim:

<saml:Attribute AttributeName="facid" AttributeNamespace="http://esat.to/identity/claims/fwltc">
  <saml:AttributeValue>Foo's Pharmacy &amp; Rehab (555-123-4567)</saml:AttributeValue>
</saml:Attribute>

Transform rule (does not match):

c:[Type == "http://esat.to/identity/claims/fwltc/facid", Value == "Foo's Pharmacy & Rehab (555-123-4567)"]
 => issue(Type = "http://esat.to/identity/claims/fwltc/facid", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = "FOO", ValueType = c.ValueType);

Transform rule #2 (also does not match):

c:[Type == "http://esat.to/identity/claims/fwltc/facid", Value == "Foo's Pharmacy &amp; Rehab (555-123-4567)"]
 => issue(Type = "http://esat.to/identity/claims/fwltc/facid", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = "FOO", ValueType = c.ValueType);

score 0 · Answer 1 · answered Apr 08 '19 at 21:39

For some reason, the ampersand prevents AD FS from matching. If you use the UI to generate a transform, you will find that AD FS produces a regex match:

c:[Type == "http://esat.to/identity/claims/fwltc/facid", Value =~ "^(?i)Foo's\ Pharmacy\ &\ Rehab\ \(555-123-4567\)$"]
 => issue(Type = "http://esat.to/identity/claims/fwltc/facid", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = "FOO", ValueType = c.ValueType);

This produces the same effect, but avoids the problem with matching an ampersand.

Why can't I transform this claim with AD FS?

1 Answers1