How to replicate ADFS SAML issuance rules in Entra ID enterprise App

Andy R 0 Reputation points
2024-03-18T15:19:15.62+00:00

We are starting to look at moving our ADFS trusts into Entra  and am struggling on how to replicate this type of scenario into an Entra SAML app

 

As an example we have

Local Ad groups (these would be synced into Entra ID)

BusStop-3456

BusStop-7890

BusSeat-21

BusSeat-55

User would be in one of each type of group

 

Ther is an ADFS RPT and we would then have these three SAML issuance rules in ADFS for the RPT

 

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]

 => add(store = "Active Directory", types = ("http://temp/variable"), query = ";tokenGroups;{0}", param = c.Value);

 

 

 c:[Type == "http://temp/variable", Value =~ "(?i)^BusStop-"]

 => issue(Type = "https://Bus/Stop", Value = RegExReplace(c.Value,"BusStop-",""));

 

 

 c:[Type == "http://temp/variable", Value =~ "(?i)^BusSeat-"]

 => issue(Type = "https://Bus/Seat", Value = RegExReplace(c.Value,"BusSeat-",""));

 

 

 I can do a group claim, with a filter and then a regex based tranform to do one of the 2 items but then am unable to add a second group claim as the option is greys out.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,441 questions
{count} votes