ADFS: Difference between revisions
Jump to navigation
Jump to search
(Created page with "<syntaxhighlight lang="text"> 1 c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORTIY"] => add(store = "Active Dire...") (change visibility) |
No edit summary (change visibility) |
||
| (3 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
= Filter the groups retrieved from AD = | |||
http://social.technet.microsoft.com/wiki/contents/articles/8008.ad-fs-2-0-selectively-send-group-membership-s-as-a-claim.aspx?Sort=MostRecent&PageIndex=1 | |||
# Claim rule 1 | |||
<syntaxhighlight lang="text"> | <syntaxhighlight lang="text"> | ||
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORTIY"] | |||
=> add(store = "Active Directory", types = ("http://schemas.xmlsoap.org/claims/Group"), query = ";memberOf;{0}", param = c.Value); | => add(store = "Active Directory", types = ("http://schemas.xmlsoap.org/claims/Group"), query = ";memberOf;{0}", param = c.Value); | ||
| Line 7: | Line 10: | ||
=> issue(claim = c); | => issue(claim = c); | ||
</syntaxhighlight> | |||
2 | # Claim rule 2 | ||
<syntaxhighlight lang="text"> | |||
c1:[Type == "http://schemas.xmlsoap.org/claims/Group"] | c1:[Type == "http://schemas.xmlsoap.org/claims/Group"] | ||
&& c2:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] | && c2:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] | ||
=> issue(store = "Active Directory", types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/role"), query = "(&(distinguishedName={0})(info=Role));name;{1}", param = c1.Value, param = c2.Value); | => issue(store = "Active Directory", types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/role"), query = "(&(distinguishedName={0})(info=Role));name;{1}", param = c1.Value, param = c2.Value); | ||
</syntaxhighlight> | |||
# origineel | |||
<syntaxhighlight lang="text"> | |||
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] | c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] | ||
=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn", "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", "http://schemas.xmlsoap.org/claims/Company", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", "http://schemas.xmlsoap.org/claims/Group"), query = ";userPrincipalName,sAMAccountName,company,mail,displayName,tokenGroups;{0}", param = c.Value); | => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn", "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", "http://schemas.xmlsoap.org/claims/Company", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", "http://schemas.xmlsoap.org/claims/Group"), query = ";userPrincipalName,sAMAccountName,company,mail,displayName,tokenGroups;{0}", param = c.Value); | ||
</syntaxhighlight> | |||
# No idea | |||
<syntaxhighlight lang="text"> | |||
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORTIY"] | c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORTIY"] | ||
=> add(store = "Active Directory", types = ("http://schemas.xmlsoap.org/claims/Group"), query = ";memberOf;{0}", param = c.Value); | => add(store = "Active Directory", types = ("http://schemas.xmlsoap.org/claims/Group"), query = ";memberOf;{0}", param = c.Value); | ||
| Line 33: | Line 37: | ||
</syntaxhighlight> | </syntaxhighlight> | ||
= Must known url's = | |||
*https://sts.domain.ext/adfs/ls/?wa=wsignout1.0 | |||
*https://sts.domain.ext/adfs/ls/IdpInitiatedSignOn.aspx | |||
Revision as of 12:11, 27 November 2013
Filter the groups retrieved from AD
- Claim rule 1
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORTIY"]
=> add(store = "Active Directory", types = ("http://schemas.xmlsoap.org/claims/Group"), query = ";memberOf;{0}", param = c.Value);
c:[Type == "http://schemas.xmlsoap.org/claims/Group", Value =~ "(?i)ug-sec"]
=> issue(claim = c);
- Claim rule 2
c1:[Type == "http://schemas.xmlsoap.org/claims/Group"]
&& c2:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/role"), query = "(&(distinguishedName={0})(info=Role));name;{1}", param = c1.Value, param = c2.Value);
- origineel
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn", "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", "http://schemas.xmlsoap.org/claims/Company", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", "http://schemas.xmlsoap.org/claims/Group"), query = ";userPrincipalName,sAMAccountName,company,mail,displayName,tokenGroups;{0}", param = c.Value);
- No idea
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORTIY"]
=> add(store = "Active Directory", types = ("http://schemas.xmlsoap.org/claims/Group"), query = ";memberOf;{0}", param = c.Value);
c:[Type == "http://schemas.xmlsoap.org/claims/Group", Value =~ "(?i)adfs"
=> issue(claim = c);