Tuesday, June 18, 2013

ADFS : “Problem” with “Token-Groups–Unqualified Names”


ADFS has this clever feature where if you select this mapping in the claims rules and map it to Roles, you will get a set of roles claims that contain all the groups for the authenticated user e.g.

http://schemas.microsoft.com/ws/2008/06/identity/claims/role  Role1

That’s well and good when the groups are “flat” i.e. the groups are not memberOf other groups.

If they are, then this mapping will work it’s way up the hierarchy and display ALL the groups.

So if Joe is a memberOf Role1 and if Role1 is a memberOf Role2, then ADFS will construct:

http://schemas.microsoft.com/ws/2008/06/identity/claims/role Role1

http://schemas.microsoft.com/ws/2008/06/identity/claims/role Role2

Now that’s fine if that’s what you want but if Joe has 20 roles and all these roles are at the bottom of a whole pile of other roles you end up with many, many claims and a complete mess!

So what to do if you only want the bottom layer i.e. the actual memberOf.

If you go have a look via ADUC, guess what? memberOf is not displayed as an attribute!


To see it as an attribute in the attribute list, you need to click the “Filter” box (bottom right) in “Attribute Editor” and then select “Backlinks”.

OK – so what if we set up a claims rule mapping memberOf to Roles?

So we type memberOf into the LDAP attribute field (it is actually editable) and note that it displays as “Is-Member-Of-DL”.


What we get back is the whole CN e.g.


when what we got before was just Role1.

Enter stage left Joji Oshima. He da man!

Refer: AD FS 2.0 Claims Rule Language Part 2.

and have a look at “Problem 1” which is exactly the scenario described above.

Problem solved!



Reza said...

Thanks for your info. But I have several questions:

1. After selecting "Is-Member-Of-DL" in the LDAP Attribute section, which option I should select in the Outgoing Claim Type section?

2. What are the differences among Group and Role options in Outgoing Claim Type section?

nzpcmad said...

Outgoing Claim Type = Role

Claim Types are just URI i.e. they are just strings.

Groups and Roles are essentially just different names so your application can distinguish between them.

However, Role claims allow you to write code like:

User.IsInRole ("abc");

Aaron Forster said...

I know this is a little old but I wanted to point a couple of things out.

Near the end you're talking about the results you get back.


What we get back is the whole CN e.g.


when what we got before was just Role1.

A) That's called a DN. A distinguished name. The Common Name (CN) of that entry is Role1. It's distinguished name is what distinquishes it from any other entry in the database. Which is significant because

B) Getting the entire DN isn't a problem, it's a benefit. LDAP directories will hapily let you create multiple groups with the same name if they are in different portions of the directory tree. CN=Role1,OU=Sales,OU=example,DC=com and CN=Role1,OU=Engineering,OU=company,DC=com are two completely different groups. Now if all I'm using for security is Role I've just allowed my sales team to access a resource I'm trying to lock down to Engineers.

nzpcmad said...

Thanks for the input.

Good Point!