Join Log in
Score:0
Appleoddity avatar Server

How do I convert a multi-value SAML attribute to a single-value string in ADFS?

ng flag
Appleoddity

I previously asked a similar question about doing this in Azure AD. However, I've come to the conclusion that it is probably too limited to do this and I received no answers.

However, in ADFS there is a lot more flexibility.

I want to convert an active directory user's group membership to a single : delimited/enclosed string. So, if the AD user is a member of Group1 and Group2, then a claim will be issued with a string value of :Group1:Group2:. Or, preferably, it would use the SID of the group which is immutable.

I don't think there is any built in way to do this based on my research, but maybe someone is more familiar with the claims rule language that can provide a method? Otherwise, it looks like I might be able to create a custom attribute store which can pretty much utilize any .NET code I want to process claims, as described here.

Before I go down the road of creating my own custom attribute store, is anyone aware of a way to do what I am trying to do either using built-in ADFS functionality, or by utilizing a publicly provided custom attribute store similar to this one here?

I am running ADFS 4.0.

59
1 + 0
Score:0
Zak Miller avatar Server
in flag
Zak Miller

With ADFS this can be done using claim issuance policies

There is an example here: https://aws.amazon.com/blogs/big-data/federate-access-to-amazon-redshift-query-editor-v2-with-active-directory-federation-services-ad-fs-part-3/

  1. create the rule Marketing, using the following code for the custom rule:

    c:[Type == "http://temp/variable", Value =~ "(?i)^RSDB-marketing"] => add(Type = "http://temp/marketing", Value = RegExReplace(c.Value, "RSDB-", ""));

  2. Create the rule MarketingNotExists using the following code:

    NOT EXISTS([Type == "http://temp/variable", Value =~ "RSDB-marketing"]) => add(Type = "http://temp/marketing", Value = "");

  3. Create the rule sales using the following code:

    c:[Type == "http://temp/variable", Value =~ "(?i)^RSDB-sales"] => add(Type = "http://temp/sales", Value = RegExReplace(c.Value, "RSDB-", ""));

  4. Create the rule SalesNotExists using the following code:

    NOT EXISTS([Type == "http://temp/variable", Value =~ "RSDB-sales"]) => add(Type = "http://temp/sales", Value = "");

  5. Create the rule RedshiftDbGroups using the following code: c:[Type == "http://temp/marketing"] && c2:[Type == "http://temp/sales"] => issue(Type = "https://aws.amazon.com/SAML/Attributes/PrincipalTag:RedshiftDbGroups", Value = c.Value + ":" + c2.Value);

  6. This will create a claim that looks like this:

    < Attribute Name="https://redshift.amazon.com/SAML/Attributes/PrincipalTag:RedshiftDbGroups" > < AttributeValue > marketing:sales< /AttributeValue>

+ 0
Score:0
avatar Server
pr flag
rbrayb

The best would be to go down the custom attribute store.

Claims rules don't really work for an indeterminate number of claims.

0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.