Setting up claim rules

Claim rules to set up the federation

To make saml login work the following claim rules have to be added:

1. Create a custom claim rule to add the User-Principal-Name to the incoming claim rule set:

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]

 => add(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"), query = ";userPrincipalName;{0}", param = c.Value);

 


2. Create a transform rule as to send the email address in the NameId:

Claim rules to send ldap groups in the assertion

Use case 1

Suppose we want to send only Ustream-related groups in the assertion. In this case the groups can be created with prefixed group names. (E.g. Ustream-Management, Ustream-Developer, Ustream-Sales) and filtered the following way.

1. Create a custom rule to get Group membership data from LDAP:

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]

 => add(store = "Active Directory", types = ("http://schemas.xmlsoap.org/claims/Group"), query =

 

";tokenGroups;{0}", param = c.Value);


2. Create a custom claim rule to filter out Ustream groups and send them as attributes named Group:

c:[Type == "http://schemas.xmlsoap.org/claims/Group", Value =~ "^(?i)Ustream-"]

 => issue(Type = "Group", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = RegExReplace(c.Value, "^(?i)Ustream-", ""), ValueType = c.ValueType);

In this case if a user is a member of the Domain Users, Ustream-Management and Ustream-Developer groups, the assertion will contain the following groups: Management, Developer.

Use case 2

Send each groups of the user.

1. Create a custom rule to get Group membership data from LDAP: see above in Use case 1

2. Create a custom rule to send the Groups:

c:[Type == "http://schemas.xmlsoap.org/claims/Group"]

 => issue(Type = "Group", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType);

Powered by Zendesk