ADFS Group DN filter not working

Stephane Favre 26 Reputation points
2021-02-17T05:31:50.257+00:00

Hi all

We have an ADFS 3.0 farm, and need to include the group DN into the claim.

I have the following 2 rules, the first one successfully pulls the DNs of all the user's groups. Worried about token bloat since some users have 100s of group memberships.

The second one (Role) is meant to filter based on DNs starting with "CN=xyz*", but its not working.

Any ideas?

GroupSID

c1:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
&& c2:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid"]
=> issue(store = "Active Directory", types = ("http://group/DN"), query = "(&(objectClass=group)(objectSID={1}));distinguishedName;{0}", param = c1.Value, param = c2.Value);

RoleSID
c:[Type == "http://group/DN", Value =~ "^CN=XYZ*"]
=> issue(claim = c);

Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,261 questions
0 comments No comments
{count} votes

Accepted answer
  1. Pierre Audonnet - MSFT 10,181 Reputation points Microsoft Employee
    2021-02-23T15:33:26.127+00:00

    You are issuing all the DNs with the first rule. You need to replace the "issue" statement with an "add" statement.

    (also, there are typos like extra ";" in the first rule, but it might just be copy paste errors)

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Stephane Favre 26 Reputation points
    2021-02-24T05:58:15.697+00:00

    So being a techie and not a dev at all, plus no readily info on those matter, I have had to "figure out" how this stuff works. So I assume "issue" statement is like a closure on the command stating that nothing else needs to be done, issue that part of the token, and "add" takes that dataset into the next rule as per sequential order?

    I amended my rule and tested, got the exact expected result so thank you for the assistance. (and teaching me something!)

    PS i think the extra characters were copy paste errors

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.