0

We have a need to pass on a claim from ADFS 4.0 to a relying party based on the combination of Active Directory employee Id attribute and OU membership. I guess the best practice could be to use security group membership, but in our case groups are just not set up exactly right, hence this need.

For instance, if a person with employee Id VX224400 (employeeId AD attribute is set to VX224400) is present in OU=SAXTechs,DC=london,DC=fabrikam,DC=com OU then the claim "LondonSAXTechs" should be added to the list of role claims being passed to RP.

In other words, the following should be in the list of claims on RP side:

http://schemas.microsoft.com/ws/2008/06/identity/claims/role | LondonSAXTechs

Not exactly sure how to do this using the claims rule language. Any help appreciated.

joym8
  • 4,014
  • 3
  • 50
  • 93

1 Answers1

0

The claim which you want in token has no dependecy of employee ID. As you have mentioned - "then the claim "LondonSAXTechs" should be added to the list of role claims being passed to RP." Also the example of OU which you have mentioned can vary alot. There can be OU's inside the London OU as well. Now creating a rule for this requirement is not that hard, but the input should be constant. To explian it further, if we trim the last two values for your example, you will get the expected result. But if there is one more OU inside london, then claim will not be generated properly.

Rishabh Srivastava
  • 46
  • 3