Tuesday, August 09, 2016

ADFS : Equality in claims rules

There have been a number of posts over on the ADFS forum around comparing claims values.

You can easily compare that a claim has a certain value via:

 c:[type == "http://company.com/department", value == "marketing"]
 =>issue(Type = “http://someclaim”, Value = "somevalue");

but what if you have two claims and you want to test that they both have the same value (i.e. are equal)?

There is no OOTB claims rules for this.

When I answered a post with this, @Pierre answered that there are some clever workarounds and gave some examples so I'm writing this up.

Imagine the following:

During on-boarding of users into AD, some people have had the same number entered into their phone and mobile attributes. Our application wants to catch this and tell the user to contact the help desk and get this fixed. 

The rule for telephone number and mobile is:

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
 => issue(store = "Active Directory", types = ("http://claim/phone", "http://claim/mobile"), query = ";telephoneNumber,mobile;{0}", param = c.Value);

So now we need to check that the values of "http://claim/phone" and "http://claim/mobile" are equal.

The clever trick is to do a regex replace across both i.e. a custom rule:

c1:[Type == "http://claim/phone"]
 && c2:[Type == "http://claim/mobile"]
 => issue(Type = "http://claim/ContactNumber", Value = RegExReplace(c1.Value, c2.Value, "Error"));

This rule will try and match the pattern in the first value with the pattern in the second value. If they match (i.e. are equal), it will issue a new claim type "http://claim/ContactNumber" with a value of "Error".

The application can then check the claim for the value of "Error" and then inform the user that the contact details need to be updated.


Here the values are equal and "ContactNumber" has the value of "Error".


Here the values are not equal so "ContactNumber" takes the value of the first claim.

This trick is not perfect e.g.


Here the one number is a subset of the other so the rest of the string is appended after "Error". However, this is easy to get around by checking that the claim contains the value "Error" rather than is equal to it. If that's the case, then the numbers are not equal.

Enjoy!

No comments: