Issue multiple claims in a single rule

adfs

Is there a simple way to issue multiple claims in a single ADFS Claim rule? The only example I can see is ones which query an attribute store, and each retrieved column is mapped to a different claim type.

I tried an "obvious" approach of using Types rather than Type, putting the two types in brackets (as per SQL example), but then I need to supply multiple values - so I thought to use Values rather than Value. But it chokes at the Types part anyway.

This doesn't work:

c:[Type == incomingClaim, Value =~ incomingMatch]
 => issue(Types = (type1,type2), Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer,
      Values = (value1,value2), ValueType = c.ValueType);

Where incomingClaim,type1,type2,value1 and value2 are simple string literals, and incomingMatch is a regex.

Of course, I could do this as multiple claim rules, but I was hoping to keep things simple for now. - There are going to be ~5 outgoing claims, for now, but I want to set up some users to get all of the claims without having to set up 5 rules. The number of claims will increase as time goes by.

(I've only tagged as ADFS - I can't see any other obvious tags to include)


An ADFS rule is composed of a condition, the => token, a command (issue or add), and terminated with a semicolon. You cannot issue multiple literals per rule, but you can use powershell to make it easier to work with.

Instead of going in the UI, and going through that wizard 5 times, you can use Set-AdfsRelyingPartyTrust to set all of the rules at once.

Set-RelyingPartyTrust -TargetName SharePoint_Prod -IssuanceTransformRulesFile c:\drop\rules.txt

where rules.txt looks like

c:[Type == incomingClaim, Value =~ incomingMatch] => issue(Type = type1, Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = value1, ValueType = c.ValueType);
c:[Type == incomingClaim, Value =~ incomingMatch] => issue(Type = type2, Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = value2, ValueType = c.ValueType);
c:[Type == incomingClaim, Value =~ incomingMatch] => issue(Type = type3, Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = value3, ValueType = c.ValueType);
c:[Type == incomingClaim, Value =~ incomingMatch] => issue(Type = type4, Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = value4, ValueType = c.ValueType);
c:[Type == incomingClaim, Value =~ incomingMatch] => issue(Type = type5, Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = value5, ValueType = c.ValueType);

The difference relative to the UI? I used copy and paste.


While Mitch's approach is correct, there is a fundamental issue here. Using the mentioned cmdlet above:

Set-RelyingPartyTrust -TargetName SharePoint_Prod -IssuanceTransformRulesFile c:\drop\rules.txt

will replace ALL issuance transform rules with the contents of the text file. Correct me if I'm wrong, but there is no 'Append' option in this approach. Moreover, I'm not sure if it was actually tried, but this will result to an error. PS expects every rule to start with:

@RuleName = "$Rulename"

And if there is only 1 rule name for multiple rules, ADFS will prompt an error (I have not actually tried it). The best working option if you want to use the cmdlet is to have the text file to be something like this:

@RuleName = "RuleName1"
c:[Type == incomingClaim, Value =~ incomingMatch] => issue(Type = type1, Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = value1, ValueType = c.ValueType);

@RuleName = "RuleName2"
c:[Type == incomingClaim, Value =~ incomingMatch] => issue(Type = type2, Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = value2, ValueType = c.ValueType);

@RuleName = "RuleName3"
c:[Type == incomingClaim, Value =~ incomingMatch] => issue(Type = type3, Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = value3, ValueType = c.ValueType);

@RuleName = "RuleName4"
c:[Type == incomingClaim, Value =~ incomingMatch] => issue(Type = type4, Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = value4, ValueType = c.ValueType);

@RuleName = "RuleName5"
c:[Type == incomingClaim, Value =~ incomingMatch] => issue(Type = type5, Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = value5, ValueType = c.ValueType);

This is still relatively easier to code in PowerShell, but having multiple rule names for essentially very similar claim rules is a nuisance. It would still be best if you can actually issue multiple claims in just one rule statement. I hope this feature can be added in the future.

Related

How to "silence" a TCP connection in one direction?
executing a command again once it stops (rsync, FreeBSD)
local rpm repostry, that contains all packages installed on system
DNS Issue - Windows 2003 environment
How to delete IPSEC VPN tunnel from Fortigate 60
Reduce Windows DNS Service caching on Window
iptables: How to read this OPT string?
Grant full mailbox access to Domain Admins in Exchange 2010, including all new mailboxes?
How to configure Elastic Beanstalk for using Rails with Postgres?
Server responds "bus error" to every command
Introducing a Windows Domain Controller into an all mac-client network
How to upload own OS ISO on Microsoft Azure Cloud Platform? [closed]