Here are some quick ADFS claim rules to get some specific requests. Remember to create the rules in order:
Case 1
Get the users group membership, including groups of groups and filter on for any group beginning with “Group-XX” then send as a role claim:
Rule 1
1
2
|
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> add(store = "Active Directory", types = ("http://schemas.xmlsoap.org/claims/Group"), query = ";tokenGroups;{0}", param = c.Value);
|
Rule 2
1
2
|
c:[Type == "http://schemas.xmlsoap.org/claims/Group", Value =~ "(?i)^Group-XX"]
=> issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/role", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType);
|
Case 2 (Update 13/09/2016 – Apologizes as i had uploaded the wrong rules initially, they are now correct)
Get the users Cross Forest Sec Group Membership (from TESTDOMAIN domain) Claim including groups of groups and filter on for any group beginning with “Group-XX” then send as a role claim.Before you set these rules remember to give the ADFS service account access to read foreign group membership of the domain you are quering as detailed here: https://social.technet.microsoft.com/Forums/windowsserver/en-US/bda33eb9-ff6e-4e79-967d-f5430ade7310/give-access-to-account-to-view-member-of-attribute-on-foreign-security-principal?forum=winserverDS
- Replace TESTDOMAIN with the domain you are trying to query
- Replace Group-XX with the beginning of the group/s you are looking for, it’s a regex expression and you can also customize it to your needs. Alternatively you can remove “, Value =~ “(?i)^Group-XX” ” and that will list all groups.
Rule 1
1
2
|
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid", Issuer == "AD AUTHORITY"]
=> add(store = "Active Directory", types = ("http://TESTDOMAIN/phase1"), query = "objectSid={0};distinguishedName;TESTDOMAIN\username", param = c.Value);
|
Rule 2:
1
2
|
c:[Type == "http://TESTDOMAIN/phase1"]
=> add(store = "Active Directory", types = ("http://TESTDOMAIN/phase2"), query = "(member:1.2.840.113556.1.4.1941:={0});distinguishedName;TESTDOMAIN\username", param = c.Value);
|
Rule 3:
1
2
|
c:[Type == "http://TESTDOMAIN/phase2"]
=> add(Type = "http://TESTDOMAIN/phase3", Value = regexreplace(c.Value, ",[^\n]*", ""));
|
Rule 4:
1
2
|
c:[Type == "http://TESTDOMAIN/phase3"]
=> add(Type = "http://TESTDOMAIN/phase4", Value = regexreplace(c.Value, "^CN=", ""));
|
Rule 5:
1
2
|
c:[Type == "http://TESTDOMAIN/phase4", Value =~ "(?i)^Group-XX"]
=> issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/role", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType);
|
I tried it does not work for me. I dont see any groups from another forest.
Hello Tung,
Apologies i had posted the wrong rules please have a look at them again.
Can you check a couple of things:
*The first , being that you changed the TESTDOMAIN to what ever domain you are trying to query
*You have modified the filter on rule 5 “Group-XX” to what ever groups you are looking for, if you want all groups simply remove the filter so the 1st line of Rule 5 will be c:[Type == “http://testdomain/phase4”]
*You have given the ADFS service account the correct foreign security principle permission on the domain you are trying to query. You can easily test that by running Active directory users and computers as the ADFS account, connect to the domain you are trying to query and under the ForeignSecurityPrincipals OU you should see a bunch of objects with there SID and you should be able to open there member of attribute and see groups they are member of.
It works this time after I used you new rules. Permissions is not a problem in my case. ADFS service account already have correct perm.
Now, how can make it works for any users? currently, I am using mydomain\myusername and it is sending groups from another forest
Thanks
Never mind, i just used mydomain\username
Thanks
Hello Tung,
This will work for all users, in the query when we specify “TESTDOMAIN\username” the important information is the domain the username actually gets ignored so it doesn’t matter what you put there it will be replaced by the users who is actually logging in. I keep it as username just for consistency.
Regards
I have applied those rules, but it didn’t work. By TESTDOMAIN, do i need to put domain name where ADFS server is or the domain name of other forest from where i want to add users to domain local SG of ADFS domain.
I also have 10 rules from before. Do i need to delete all those previous claim rules to make it work or just upgrading the rule to 1 till 5 is ok?
Could someone please guide here.