Menu +

Search Posts

ADFS: Manipulating EmployeeID for correct claim

If you need to match you EmployeeID with the external party for SSO but they have more characters then you have in your AD. So you need to put a zero in front of it. I needed 7 characters while in my Active Directory I had 6. The 3th party had an extra zero in front of it.

You need to add extra claim rules. 2 buffer claims and a 3rth claim wich manipulates the 2 buffers. RegExReplace is the solution

Problem

Employee numbers vary in length, but we need to have exactly 7 characters in the claim value.  Employee numbers that are shorter than 9 characters should be padded in the front with leading zeros.

Solution:

In this case we can create a buffer claim, join that with the employee number claim, and then use RegEx to use the right most 9 characters of the combined string.

EmployeeID to NameID

Phase 1: Create a buffer claim to create the zero-padding
=> add(Type = “Buffer”, Value = “0000000”);

 

Phase 2: Pull the employeeNumber attribute from Active Directory, place it in a holding claim
c:[Type == “http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname”, Issuer == “AD AUTHORITY”]=> add(store = “Active Directory”, types = (“ENHolder”), query = “;employeeNumber;{0}”, param = c.Value);

 

Phase 3: Combine the two values, then use RegEx to remove all but the 9 right most characters.
c1:[Type == “Buffer”]&& c2:[Type == “ENHolder”]

=> issue(Type = “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier“, Value = RegExReplace(c1.Value + c2.Value, “.*(?=.{7}$)”, “”));

Digging Deeper: RegExReplace(c1.Value + c2.Value, “.*(?=.{7}$)”, “”)

  • c1.Value + c2.Value is the employee number padded with nine zeros.  This is what we are searching in.
  • “.*(?=.{7}$)” represents the last nine characters of a string. This is what we are searching for.  We could replace the 9 with any number and have it represent the last “X” number of characters.
  • “” is the replacement value.  Since there is no string, it effectively removes any matches.

claim rules adfs

3700 Total Views 9 Views Today

Leave a Comment

Leave a Reply