{"id":12364,"date":"2019-10-10T14:22:33","date_gmt":"2019-10-10T19:22:33","guid":{"rendered":"http:\/\/jianmingli.com\/wp\/?p=12364"},"modified":"2022-01-25T11:27:37","modified_gmt":"2022-01-25T16:27:37","slug":"adfs-rule-language","status":"publish","type":"post","link":"https:\/\/jianmingli.com\/wp\/?p=12364","title":{"rendered":"ADFS Rule Language"},"content":{"rendered":"
\n

Contents<\/h2>\n
    \n\t
  1. \n\t\tOverview<\/a>\n\t\t
      \n\t\t\t
    1. \n\t\t\t\tClaim Sets<\/a>\n\t\t\t<\/li>\n\t\t\t
    2. \n\t\t\t\tClaim Rules<\/a>\n\t\t\t\t
        \n\t\t\t\t\t
      1. \n\t\t\t\t\t\tClaim Rules For Claim Providers<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t\t
      2. \n\t\t\t\t\t\tClaim Rules For Relying Parties<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t<\/ol>\n<\/ol>\n\t\t\t
      3. \n\t\t\t\tClaim Rule Language<\/a>\n\t\t\t\t
          \n\t\t\t\t\t
        1. \n\t\t\t\t\t\tSyntax<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t\t
        2. \n\t\t\t\t\t\tCondition Statements<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t\t
        3. \n\t\t\t\t\t\tIssuance Statements<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t\t
        4. \n\t\t\t\t\t\tMultiple Conditions<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t\t
        5. \n\t\t\t\t\t\tAggregate Functions<\/a>\n\t\t\t\t\t\t
            \n\t\t\t\t\t\t\t
          1. \n\t\t\t\t\t\t\t\tEXISTS<\/a>\n\t\t\t\t\t\t\t<\/li>\n\t\t\t\t\t\t\t
          2. \n\t\t\t\t\t\t\t\tNOT EXISTS<\/a>\n\t\t\t\t\t\t\t<\/li>\n\t\t\t\t\t\t\t
          3. \n\t\t\t\t\t\t\t\tCOUNT<\/a>\n\t\t\t\t\t\t\t<\/li>\n\t\t\t\t\t\t<\/ol>\n\t\t\t\t\t
          4. \n\t\t\t\t\t\tRegEx<\/a>\n\t\t\t\t\t\t
              \n\t\t\t\t\t\t\t
            1. \n\t\t\t\t\t\t\t\tRegEx Symbols<\/a>\n\t\t\t\t\t\t\t<\/li>\n\t\t\t\t\t\t\t
            2. \n\t\t\t\t\t\t\t\tRegEx String Replacement<\/a>\n\t\t\t\t\t\t\t<\/li>\n\t\t\t\t\t\t<\/ol>\n\t\t\t\t\t
            3. \n\t\t\t\t\t\tQuery Attribute Stores<\/a>\n\t\t\t\t\t\t
                \n\t\t\t\t\t\t\t
              1. \n\t\t\t\t\t\t\t\tSQL Attribute Stores<\/a>\n\t\t\t\t\t\t\t<\/li>\n\t\t\t\t\t\t\t
              2. \n\t\t\t\t\t\t\t\tLDAP Attribute Stores<\/a>\n\t\t\t\t\t\t\t<\/li>\n\t\t\t\t\t\t<\/ol>\n<\/ol>\n\t\t\t\t\t
              3. \n\t\t\t\t\t\tReferences<\/a>\n\t\t\t\t\t<\/li>\n<\/ol>\n<\/ol>\n<\/div>\n
                 <\/div>\n

                Overview<\/h2><\/span>\n

                Claim Sets<\/h3><\/span>\n

                * Incoming claim set<\/p>\n

                * Outgoing claim set<\/p>\n

                Claim Rules<\/h3><\/span>\n

                Claim Rules For Claim Providers<\/h4><\/span>\n

                * Acceptance Rules: accepting claims from claim provider trust<\/p>\n

                Claim Rules For Relying Parties<\/h4><\/span>\n

                * Issuance Tranform Rules: issuing claims for relying party trust, e.g. send email as name id claim<\/p>\n

                * Issuance Authorization Rules: authorizing claims for relying party trust, e.g. permit all users<\/p>\n

                * Delegation Authorization Rules: impersonate users with an privileged account<\/p>\n

                Claim Rule Language<\/h2><\/span>\n

                Syntax<\/h3><\/span>\n

                * Each rule contains two parts:
                \n– Condition statement (if true )
                \n– Issuance statement (then issue\/add claims)<\/p>\n

                * Operators:
                \nEqual: ==
                \nAssign: =
                \nRegular Expression: =~<\/p>\n

                * For example:<\/p>\n

                # if incoming claim set contains\r\n#   claim type \"http:\/\/contoso.com\/department\"\r\nc:[Type == \"http:\/\/contoso.com\/department\"]\r\n# then issue\r\n#   claim type \"http:\/\/adatum.com\/department\" \r\n#   with the same value as incoming claim\r\n=> issue[Type = \"http:\/\/adatum.com\/department\", Value = c.Value);\r\n<\/pre>\n
                Condition Statements<\/h3><\/span>\n
                * Properties that can be checked:
                \n– Type
                \n– Value
                \n– Issuer
                \n– OriginalIssuer
                \n– ValueType<\/p>\n
                * Examples:<\/p>\n
                # Check for Type only\r\nc:[Type == \"http:\/\/contoso.com\/department\"]\r\n=> issue[Type = \"http:\/\/adatum.com\/department\", Value = c.Value);\r\n\r\n# Check for both Type and Value\r\nc:[Type == \"http:\/\/contoso.com\/department\" Value == \"Sales\"]\r\n=> issue[Type = \"http:\/\/adatum.com\/department\", Value = c.Value);\r\n\r\n# Blank or missing condition statement means always true\r\n=> issue[Type = \"http:\/\/adatum.com\/department\", Value = c.Value);\r\n<\/pre>\n
                Issuance Statements<\/h3><\/span>\n
                * Two types:
                \n– Add: adds claim to incoming claim set
                \n– Issue: adds cliam to outgoing claim set<\/p>\n
                * Issue examples:<\/p>\n
                # Issue a claim with\r\n#   type: \"http:\/\/adatum.com\/department\"\r\n#   value: \"Sales\"\r\n=> issue[Type = \"http:\/\/adatum.com\/department\", Value = \"Sales\");\r\n\r\n# Issue incoming claim as is\r\nc:[Type == \"http:\/\/contoso.com\/department\"]\r\n=> issue(claim = c);\r\n\r\n# Issue all available claims\r\nc:[] => issue(claim = c);\r\n<\/pre>\n
                * Add examples:<\/p>\n
                # Add a claim with\r\n#   type: \"http:\/\/adatum.com\/department\"\r\n#   value: \"Sales\"\r\n=> add[Type = \"http:\/\/adatum.com\/department\", Value = \"Sales\");\r\n<\/pre>\n
                Multiple Conditions<\/h3><\/span>\n
                * AND multiple conditions: &&<\/p>\n
                * OR multiple conditions: create separate claims<\/p>\n
                * Combine multiple values: +<\/p>\n
                * Examples:<\/p>\n
                # If incoming claim set contains both\r\n#  claim type: \"http:\/\/contoso.com\/location\"\r\n#  and cliam type: \"http:\/\/contoso.com\/role\"\r\nc1:[Type == \"http:\/\/contoso.com\/location\"] &&\r\nc2:[Type == \"http:\/\/contoso.com\/role\"]\r\n# Then issue a claim\r\n#  type: \"http:\/\/adatum.com\/role\"\r\n#  value: c1.Value + \" \" + c2.Value\r\n=> issue(Type = \"http:\/\/adatum.com\/role\", Value = c1.Value + \" \" + c2.Value);\r\n<\/pre>\n
                Aggregate Functions<\/h3><\/span>\n
                EXISTS<\/h4><\/span>\n
                * Check for the existence of a claim type without regard to number of times it finds<\/p>\n
                * Examples:<\/p>\n
                # Check for existence, i.e. any occurrance, of emailaddress claim type\r\nEXISTS([type == \"http:\/\/contoso.com\/emailaddress\"])\r\n# Then issue a single role claim type\r\n=> issue(type = \"http:\/\/contoso.com\/role\", value=\"Exchange User\");\r\n<\/pre>\n
                NOT EXISTS<\/h4><\/span>\n
                * Check for the abstence of a claim type<\/p>\n
                * Examples:<\/p>\n
                # If location claim type does not exist\r\nNOT EXISTS([type == \"type:\/\/contoso.com\/location\"])\r\n# Then add location claim type with value of \"Unknown\"\r\n=> add(type = \"http:\/\/contoso\/location\", vlaue = \"Unknown\");\r\n\r\n# If use does not have a group claim with value \"ADFSUser\"\r\nNOT EXISTS([type == \"http:\/\/contoso.com\/group\", Value =~ \"^(?!)ADFSUser\"])\r\n$ Then deny user access\r\n=> issue(type = \"http:\/\/schemas.microsoft.com\/authorization\/claims\/deny\", value=\"DenyUsersWithClaim\");\r\n<\/pre>\n
                COUNT<\/h4><\/span>\n
                * Count the number of occurance of a claim type<\/p>\n
                * Examples:<\/p>\n
                # If you have multiple email address claims\r\nCOUNT([type == \"http:\/\/contoso.com\/emailaddress\"]) >= 2\r\n# Then issue a MultipleEmails claim with value true\r\n=> issue(type=\"http:\/\/contoso.com\/Multipleemails\", value=\"True\");\r\n<\/pre>\n
                RegEx<\/h3><\/span>\n
                * Use =~ operator for regex, e.g.<\/p>\n
                # If role claim type value starts with CEO\r\nc:[type == \"http:\/\/contoso.com\/role\", Value =~ \"^CEO\"]\r\n# Then issue claim as is\r\n=> issue(claim = c);\r\n<\/pre>\n
                RegEx Symbols<\/h4><\/span>\n
                * Beginning of line: ^<\/p>\n
                * End of line: $<\/p>\n
                * Force case insensitive: (?!)<\/p>\n
                * OR values: |<\/p>\n
                # Pass through role claims that start with \"ceo\" or \"coo\", case insensitive\r\nc:[type == \"http:\/\/contoso.com\/role\", Value =~ \"^(?!)ceo|coo$\"]\r\n=>issue(claim = c);\r\n<\/pre>\n
                * Matches any characters zero or more times: .*<\/p>\n
                * Matches preceding character zero or more times: *<\/p>\n
                * Matches preceding character one or more times: +<\/p>\n
                Value =~ \"(?!)DC.*Office\" # matches \"DC Office\" or \"DC Regional Office\" etc. case insensitive\r\nValue =~ \"(?!)yaho*\" # matches \"yah\" or \"yaho\" or \"yahoooooo\" etc. case insensitive\r\nValue =~ \"(?!)yaho+\" # matches \"yaho\" (not \"yah\" though) or \"yahoo\" or \"yahoooooo\" etc. case insensitive\r\n<\/pre>\n
                RegEx String Replacement<\/h4><\/span>\n
                * Use RegExReplace function:<\/p>\n
                  RegExReplace(\r\n\t\"string_to_search\", \r\n\t\"string_to_match_regex_expression\", \r\n\t\"string_used_to_replace_matches)\r\n<\/pre>\n
                * Examples<\/p>\n
                RegExReplace(c.Value, \"(?!)directory\",\"Manager\"); # relace all matching occurrance of \"directory\" (case insensitive) with \"Manager\" so \"IT Directory\" will become \"IT Manager\"\r\n<\/pre>\n
                Query Attribute Stores<\/h3><\/span>\n
                * Default attribute store: Active Directory<\/p>\n
                * Also supports:
                \n– SQL attribute stores
                \n– LDAP attribute stores<\/p>\n
                SQL Attribute Stores<\/h4><\/span>\n
                * If user is located in SQL database attribute store, claim rule language can
                \n– query SQL database
                \n– and generate claims based on the information in the database<\/p>\n
                * Can only use string type as input and\/or output parameters<\/p>\n
                * Examples:<\/p>\n
                # If incoming claims contains emailaddress claim type\r\nc:[type == \"http:\/\/contoso.com\/emailaddress\"]\r\n# Query SQL database for age and puchasinglimit using the emailaddress value as input parameter\r\n# and issue two outgoing claims using the values retured from database query\r\n# with \"Custom SQL Store\" as the issuer\r\n=> issue(store=\"Custom SQL Store\", types = (\"http:\/\/contoso.com\/age\", \"http:\/\/contoso.com\/purchasinglimit\"), query = \"SELECT age,purchasinglimit FROM users WHERE email={0}\", param = c.value);\r\n<\/pre>\n
                LDAP Attribute Stores<\/h4><\/span>\n
                * Format:<\/p>\n
                # For generic LDAP\r\nQUERY = \"query_filter;\"\r\n\r\n# For AD only\r\nQUERY = \"QUERY_FILTER;ATTRIBUTES;DOMAIN_NAME\\USERNAME\"\r\n\r\n# If query_filter is missing, it defaults to:\r\nsamAccountName={0}\r\n<\/pre>\n
                * Examples:<\/p>\n
                # If incoming claims contains emailaddress claim type\r\nc:[type == \"http:\/\/contoso.com\/emailaddress\"]\r\n# Query LDAP for age and puchasinglimit using the emailaddress value as input parameter\r\n# and issue two outgoing claims using the values retured from LDAP query\r\n# with \"Custom LDAP Store\" as the issuer\r\n=> issue(store=\"Custom LDAP Store\", types = (\"http:\/\/contoso.com\/age\", \"http:\/\/contoso.com\/purchasinglimit\"), query = \"mail={0};age,purchasinglimit\", param = c.value);\r\n\r\n# Extract memberOf using windowsaccountname to query AD\r\nc:[Type == \"http:\/\/schemas.microsoft.com\/ws\/2008\/06\/identity\/claims\/windowsaccountname\", Issuer == \"AD AUTHORITY\"]\r\n# add to working set claim type: \"http:\/\/test.com\/phase1\"\r\n=> add(store = \"Active Directory\", types = (\"http:\/\/test.com\/phase1\"), query = \";memberOf;{0}\", param = c.Value);\r\n<\/pre>\n
                * Query Active Directory and send multiple claims in one query:<\/p>\n
                \r\n@RuleName = \"Another example\"\r\nc:[Type == \"http:\/\/schemas.microsoft.com\/ws\/2008\/06\/identity\/claims\/windowsaccountname\", Issuer == \"AD AUTHORITY\"]\r\n=> issue(store = \"Active Directory\",\r\n    types = (\"http:\/\/schemas.xmlsoap.org\/ws\/2005\/05\/identity\/claims\/emailaddress\",\r\n             \"http:\/\/schemas.xmlsoap.org\/ws\/2005\/05\/identity\/claims\/name\",\r\n             \"http:\/\/schemas.xmlsoap.org\/ws\/2005\/05\/identity\/claims\/nameidentifier\",\r\n             \"http:\/\/schemas.xmlsoap.org\/ws\/2005\/05\/identity\/claims\/givenname\",\r\n             \"http:\/\/schemas.xmlsoap.org\/ws\/2005\/05\/identity\/claims\/surname\"), query = \";mail,displayName,userPrincipalName,givenName,sn;{0}\", param = c.Value);\r\n<\/pre>\n
                References<\/h2><\/span>\n
                * Understanding Claim Rule Language in AD FS 2.0 & Higher<\/a><\/p>\n
                * Attribute Stores<\/a><\/p>\n
                * AD FS 2.0: Using RegEx in the Claims Rule Language<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
                Overview Claim Sets * Incoming claim set * Outgoing claim set Claim Rules Claim Rules For Claim Providers * Acceptance Rules: accepting claims from claim provider trust Claim Rules For Relying Parties * Issuance Tranform Rules: issuing claims for relying … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[1],"tags":[],"class_list":["post-12364","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p8cRUO-3dq","_links":{"self":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts\/12364","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=12364"}],"version-history":[{"count":5,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts\/12364\/revisions"}],"predecessor-version":[{"id":12819,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts\/12364\/revisions\/12819"}],"wp:attachment":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=12364"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=12364"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=12364"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}