Is there a simple way to issue multiple claims in a single ADFS Claim rule? The only example I can see is ones which query an attribute store, and each retrieved column is mapped to a different claim type.
I tried an "obvious" approach of using Types
rather than Type
, putting the two types in brackets (as per SQL example), but then I need to supply multiple values – so I thought to use Values
rather than Value
. But it chokes at the Types
part anyway.
This doesn't work:
c:[Type == incomingClaim, Value =~ incomingMatch]
=> issue(Types = (type1,type2), Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer,
Values = (value1,value2), ValueType = c.ValueType);
Where incomingClaim
,type1
,type2
,value1
and value2
are simple string literals, and incomingMatch
is a regex.
Of course, I could do this as multiple claim rules, but I was hoping to keep things simple for now. – There are going to be ~5 outgoing claims, for now, but I want to set up some users to get all of the claims without having to set up 5 rules. The number of claims will increase as time goes by.
(I've only tagged as ADFS – I can't see any other obvious tags to include)
Best Answer
An ADFS rule is composed of a condition, the
=>
token, a command (issue
oradd
), and terminated with a semicolon. You cannot issue multiple literals per rule, but you can use powershell to make it easier to work with.Instead of going in the UI, and going through that wizard 5 times, you can use
Set-AdfsRelyingPartyTrust
to set all of the rules at once.where rules.txt looks like
The difference relative to the UI? I used copy and paste.