You are issuing all the DNs with the first rule. You need to replace the "issue" statement with an "add" statement.
(also, there are typos like extra ";" in the first rule, but it might just be copy paste errors)
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hi all
We have an ADFS 3.0 farm, and need to include the group DN into the claim.
I have the following 2 rules, the first one successfully pulls the DNs of all the user's groups. Worried about token bloat since some users have 100s of group memberships.
The second one (Role) is meant to filter based on DNs starting with "CN=xyz*", but its not working.
Any ideas?
GroupSID
c1:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
&& c2:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid"]
=> issue(store = "Active Directory", types = ("http://group/DN"), query = "(&(objectClass=group)(objectSID={1}));distinguishedName;{0}", param = c1.Value, param = c2.Value);
RoleSID
c:[Type == "http://group/DN", Value =~ "^CN=XYZ*"]
=> issue(claim = c);
You are issuing all the DNs with the first rule. You need to replace the "issue" statement with an "add" statement.
(also, there are typos like extra ";" in the first rule, but it might just be copy paste errors)
So being a techie and not a dev at all, plus no readily info on those matter, I have had to "figure out" how this stuff works. So I assume "issue" statement is like a closure on the command stating that nothing else needs to be done, issue that part of the token, and "add" takes that dataset into the next rule as per sequential order?
I amended my rule and tested, got the exact expected result so thank you for the assistance. (and teaching me something!)
PS i think the extra characters were copy paste errors