I have a question regarding claim rules and how they are processed in ADFS. As per my understanding after reading [this] (https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/technical-reference/the-role-of-the-claims-engine) there are three parts of claim rules execution - Initialisation (Input claims set is created and the input claims are placed here), execution of conditions and rules in a claim rule, and issuance of claims to a relying party. What I am trying to understand is if there is only default claims trust provider, i.e. AD and a user logs in trying to do IdP Initiated SAML, then at the initial phase, is the input claim set populated with all the attributes of a user in AD? Before the execution process starts, who or what decides that what will be present in the input claims?
1 Answers
At logon time the claims rules on the claims provider (AD in your case) decide what's available in the pipeline. Not all user attributes populated in AD for the user are read. E.g. if mobile is populated it wont be read and mapped to some claim. So after credentials are validated the AcceptanceTransformRules on the claims
After logon IssuanceAuthorizationRules are used to decide whether to issue claims or not. Assuming you get past this stage with at least one permit and zero deny, then you move to the issuance transform rules processing stage on the relying party.
When the issuancetransformrules defined on the relying party are executed and you choose to issue a claim that uses an AD attribute such as mobile, you can choose to issue a claim like http://myorg.com/mobile with the mobile attribute value. The LDAP queries to use the AD attribute store are used at this point. You can also choose to use incoming claims added at logon time as input at this stage to decide what to add/issue to the pipeline.
Once all the issuancetransformrules are processed, based on what you choose to explicitly pass through claims added to the pipeline at the claims provider trust level may or may not be sent to the relying party.
Use https://adfshelp.microsoft.com/ClaimsXray/TokenRequest to play with different combinations of rules on the CP and RP trust levels to further your understanding.
- 783
- 4
- 12