I'm currently integrating AD FS with Jira Cloud for SSO and facing a challenge with email domain mismatches.
Our Active Directory domain for users is company.local, but our verified domain for Jira Cloud is verifieddomain.com.
I need to create a custom rule within our AD FS claim issuance policy to convert the .local extension in UPNs to our verified domain.
Here's the existing rule snippet I found in the Jira Cloud documentation for configuring SAML SSO with AD FS:
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"), query = ";objectSID,mail,givenName,sn;{0}", param = c.Value);
What I'm trying to achieve is to edit this rule (or add a new one) to transform any UPN from user@company.local to user@verifieddomain.com.
Could someone advise how to properly create a custom claim rule that would handle this transformation?
There are many examples here.
The solution to your problem is:
Replace domain name
Problem
We want to replace one domain name with another.
Solution
To replace xxx@somedomain with xxx@anotherdomain:
c:[Type == “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"]
=> issue(Type = c.Type, Value = regexreplace(c.Value, “(?<user>[^\\]+)@(?<domain>.+)”, “${user}@anotherdomain”));