ADFS SAML2 UserID Claim Rule

Facebooktwittergoogle_pluslinkedin

I was recently asked to setup SSO with a third-party vendor.  The vendor required SAML2 with IdP initiated login, which in itself isn’t all that strange.  The unusual requirement was the vendor required a claim called “UserID” that would match the users login credentials for the third-party product. This claim rule could not be achieved using any of the built-in ADFS claims, so I had to write a custom claim rule.

The following claim rule will pass the sAMAccountName (<domain>\<user id> as the claim.

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(type = "UserID", value = c.Value);

The above claim rule was very easy, but I didn’t want to pass the domain name, so I used a little regex to remove the domain name and pass only the user id.

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(type = "UserID", value = regexreplace(c.Value, "(?<domain>[^\\]+)\\(?<user>.+)", "${user}"));

This custom claim rule worked exactly as required.

Facebooktwittergoogle_pluslinkedin