Setting up claim rules
Claim rules to set up the federation
To make saml login work the following claim rules have to be added:
1. Create a custom claim rule to add the User-Principal-Name to the incoming claim rule set:
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => add(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"), query = ";userPrincipalName;{0}", param = c.Value); |
2. Create a transform rule as to send the email address in the NameId:
Claim rules to send ldap groups in the assertion
Use case 1
Suppose we want to send only Ustream-related groups in the assertion. In this case the groups can be created with prefixed group names. (E.g. Ustream-Management, Ustream-Developer, Ustream-Sales) and filtered the following way.
1. Create a custom rule to get Group membership data from LDAP:
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => add(store = "Active Directory", types = ("http://schemas.xmlsoap.org/claims/Group"), query = |
";tokenGroups;{0}", param = c.Value); |
2. Create a custom claim rule to filter out Ustream groups and send them as attributes named Group:
c:[Type == "http://schemas.xmlsoap.org/claims/Group", Value =~ "^(?i)Ustream-"] => issue(Type = "Group", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = RegExReplace(c.Value, "^(?i)Ustream-", ""), ValueType = c.ValueType); |
In this case if a user is a member of the Domain Users, Ustream-Management and Ustream-Developer groups, the assertion will contain the following groups: Management, Developer.
Use case 2
Send each groups of the user.
1. Create a custom rule to get Group membership data from LDAP: see above in Use case 1
2. Create a custom rule to send the Groups:
c:[Type == "http://schemas.xmlsoap.org/claims/Group"] => issue(Type = "Group", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType); |