How do I iterate an AD attribute as a claims rule in ADFS?
More specifically, I'd like to check whether the user's proxyAddresses contains a predetermined domain, and if so, return that email as Name ID, else the the user's main email.
0
votes
2 Answers
0
votes
You would use regex on the claims rule to check for the domain and if there, issue the NameID claim.
Then use a "NOT EXISTS" rule.
So something like:
NOT EXISTS([Type == "http://contoso.com/NAMID"])
=> add(Type = "http://contoso.com/hasNAMEID", Value = "No");
Sample Rule 2:
c1:[Type == "http://contoso.com/hasNameID"] &&
c2:[Type == "http://contoso.com/email"]
=> issue(Type="http://contoso.com/email", Value=c2.value);
Using the normal email claim type etc.
And about 10 minutes after writing this, I found this example that shows the solution in more detail.
0
votes
I played around a bit yesterday, and ended up with the following, which seems to work, but perhaps not the cleanest way?
Rule #1:
Regular attribute claim for Proxy-Addresses and User-Principal-Name
Rule #2:
c:[Type == "fake/proxyAddresses", Value =~ "subdomain.example.com$"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Value = RegExReplace(c.Value, "smtp:", ""));
Rule #3:
NOT EXISTS([Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"])
=> add(Type = "fake/UseUPN", Value = "Yes");
Rule #4:
c1:[Type == "fake/UseUPN"]
&& c2:[Type == "fake/UPN"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Value = c2.Value);
