Regex Negative look ahead in ADFS claim rule

Question

I need to grant a claim to everyone not matching a particular LDAP attribute. I want to use a regex with a negative look ahead to perform this "not" clause

c1:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", Value =~ "^(?!Test User).*$"]
 => issue(Type = "http://goofyclaim", Value = "youre not a tester");

the above rule doesn't seem to get satisfied by my test users. Something wrong with the regex? or does ADFS4.0 not support it. I don't see any errors in the ADFS event logs.

this is a win2016srv on a win2012r2 AD domain.

for reference, this rule does work:

c1:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", Value =~ "(?i)^Test User1"]  
 => issue(Type = "http://somethignelseentreily", Value = "imispellwhendriving");

@MarileeTurscak-MSFT I did, but I had to play with the ADFS usage of the expression a little (see my answer) — BozoJoe, Sep 05 '18 at 20:31

score 0 · Answer 1 · answered Sep 05 '18 at 20:30

0

first I need to use (found here ADFS rules language terminals) for REGEXP_NOT_MATCH

!~

Next, I had to restructure the regex mode modifier a little, by having the case insensitivity inside the ^ idenifier

c1:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", Value !~ "^(?i)Test User"]
 => issue(Type = "http://somethignelseentreily", Value = "imispellwhendriving");

answered Sep 05 '18 at 20:30

BozoJoe

6,117
4
44
66

I'm removing this as the answer, as I'm experiencing weird results. – BozoJoe Sep 18 '18 at 20:53

score 0 · Accepted Answer · answered Oct 12 '18 at 04:12

0

(leaving my other answer so other can see its not the right answer)

NOT EXISTS([Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", Value =~ "^Test User"])
 => issue(Type = "http://somethignelseentreily", Value = "all");

answered Oct 12 '18 at 04:12

BozoJoe

6,117
4
44
66

so Im talking too myself - sue me – BozoJoe Oct 12 '18 at 04:13

Regex Negative look ahead in ADFS claim rule

2 Answers2