Query AD Group to get Custom Attribute on it

0
votes

I am trying to get a Custom Attribute of a Group in Custom Claim rule.

The problem is no matter what i do, it always queries against User.

Here is how my Custom Claim Rule looks like:

//Rule to get all the Groups user is part of:

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
 => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/claims/Group"), query = ";tokenGroups;{0}", param = c.Value);

//Rule to fetch url attribute that is on the Group.

c:[Type == "http://schemas.xmlsoap.org/claims/Group"]
 => add(store = "Active Directory", types = ("http://temp/urlsOnGroup"), query = ";url;{0}", param = c.Value);

When this executes, i see an error in the event log on AD FS Server which states that it is trying to find User with GroupName.

How do i specify this Rule so that the last query happens against the Group Name instead of User

Error Message:

Microsoft.IdentityServer.ClaimsPolicy.Language.PolicyEvaluationException: 
POLICY0018: Query ';url;{0}' to attribute store 'Active Directory' failed: 
'POLICY3826: User name 'GroupName' in LDAP query ';url;GroupName' is not in the 
required 'domain\user' format. POLICY3824: The LDAP query to the Active 
Directory attribute store must have three parts separated by semicolons. The 
first part is the LDAP query filter, the second part is a comma-separated list 
of LDAP attribute names, and the third part is the user name in 'domain\user' 
format.'. ---> 
Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.AttributeStoreQueryF
ormatException: POLICY3826: User name 'GroupName' in LDAP query ';url;GroupName' 
is not in the required 'domain\user' format. POLICY3824: The LDAP query to the 
Active Directory attribute store must have three parts separated by semicolons. 
The first part is the LDAP query filter, the second part is a comma-separated 
list of LDAP attribute names, and the third part is the user name in 
'domain\user' format.

I want to avoid writing Custom Attribute Store if possible. I have already did that but i am trying to find native way to query agains AD Security Groups.

1
active-directoryadfsadfs2.0active-directory-groupadfs3.0

1 Answers

0
votes

The required format is e.g.

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/ou"] => issue(store = "Active Directory", types = ("http://schemas.company.co.nz/claims/guid"), query = "(ou={0});objectGuid;domain\user", param = c.Value);

The "domain" needs to be the domain for ADFS. The "user" can be anything.

Note rule is free form so may have format errors but you get the idea!