adfsstring-concatenationclaims-authentication

ADFS claims rules string concatenation possible?


I am new to adfs claim rules, but I managed to configure the normal mapping. Now my customer asked me to add 4 static letters like "1234" in front on of an incoming LDAP Attribute. For Example add "1234" in front of the "E-Mail-Addresses" Attribute. I have read about the claim rule language syntax but wasn't able to find an add function.


Solution

  • Sample rules below.

    @RuleName = "add temp claim email to pipeline as a var for processing"
    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
     => add(store = "Active Directory", types = ("http://temp.org/emailaddress"), query = ";mail;{0}", param = c.Value);
    
    @RuleName = "massage var to issue real email claim"
    c:[Type == "http://temp.org/emailaddress"]
     => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", Value = "1234" + c.Value);
    

    This will result in issuing an email claim with value 1234john@contoso.com when the AD mail attribute has john@contoso.com as the attribute value.

    You should review https://social.technet.microsoft.com/wiki/contents/articles/4792.understanding-claim-rule-language-in-ad-fs-2-0-higher.aspx as it has lots of good examples on syntax.

    Then create the claimsxray relying party as per https://adfshelp.microsoft.com/ClaimsXray/TokenRequest and test your rules. Once you have a set of rules that work, you can use them on the real intended relying party.