Posted in : Active Directory, ADFS, Microsoft, Windows By Tobias Sandberg Translate with Google ⟶

4 years ago

In this post I will quickly demonstrate how to achieve a ADFS Claims depending on two different conditions. This specific case is about the password expiry claims that we only want to show for users that are member in a specific Active Directory group.

First we need to add an Issuance Transform Rule where we choose the Send Claims Using a Custom Rule. The main purpose of this rule is to get all groups for the current user from the Active Directory. In this scenario we named it Get all groups for user.

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> add(store = "Active Directory", types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/role"), query = ";tokenGroups;{0}", param = c.Value);

After the first rule we need to add a second Custom Rule.
It will check two things – first it will look for a specific group (in this scenario specified as AD GROUP but this needs to be changed to match your specific group) in the previously populated variable c. Second it will check for the passwordexpirationtime and put it in variable c1. Please note that there is a 14 days window for the passwordexpirationtime so the sent claims will only be populated if the password is expiring within 14 days. In this scenario we named the rule Pass through password expiry info to selected users.

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/role", Value == "AD GROUP"]
&& c1:[Type == "http://schemas.microsoft.com/ws/2012/01/passwordexpirationtime"]
=> issue(store = "_PasswordExpiryStore", types = ("http://schemas.microsoft.com/ws/2012/01/passwordexpirationtime", "http://schemas.microsoft.com/ws/2012/01/passwordexpirationdays", "http://schemas.microsoft.com/ws/2012/01/passwordchangeurl"), query = "{0};", param = c1.Value);

If the AD group match and the passwordexpirationtime are populated, an expiry notification will be shown to the users for the supported applications.
So if the user logging in is a member of the group AD GROUP and the password will expire in 14 days or less, a notification will be shown as in the picture below.

Update 2019-10-31
It is possible to achieve this with just one Custom Rule, referring to Microsoft documentation.

c:[Type == "https://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value == "S-1-X-X-XXXXXXXXX-XXXXXX", Issuer == "AD AUTHORITY"]
&& c1:[Type == "http://schemas.microsoft.com/ws/2012/01/passwordexpirationtime"]
=> issue(store = "_PasswordExpiryStore", types = ("http://schemas.microsoft.com/ws/2012/01/passwordexpirationtime", "http://schemas.microsoft.com/ws/2012/01/passwordexpirationdays", "http://schemas.microsoft.com/ws/2012/01/passwordchangeurl"), query = "{0};", param = c1.Value);

If you have any questions, feel free to email me at tobias.sandberg@xenit.se or comment down below. I will try to answer you as soon as possible.

Tags : activedirectory, ad, ADFS, claim, claims, custom rule, Issuance Transform Rule, password, password expiry, passwordexpirationtime, passwordexpiry, rule, Send Claims Using a Custom Rule

Personlig rådgivning

Vi erbjuder personlig rådgivning med författaren för 1400 SEK per timme. Anmäl ditt intresse i här så återkommer vi så snart vi kan.

Add comment

Your comment will be revised by the site if needed.