Combining claims for authorization
https://sharepoint.stackexchange.com/questions/116855
-
29-09-2020 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I have a question about claims based authentication. I have setup a webapp with claims and the claims are populated. Both authentication as well as authorization are working. But suppose my user has two claims: country and manager. And I now want to authorize all German managers to a certain resource. I would have to check for a combination of both; so a user having the 'Germany' country claims and the 'Yes' flag for manager.
Is this possible, or do I have to write some logic to combine the two into one and use that one for authentication, for instance saying 'German Manager'?
Solution
Your second guess is right, you have to write some logic to combine the two: merge both claims into a new claim, and give rights to this new claim.
When you say "claims based authentication", which provider are you using? Windows or trusted IDP (typically ADFS)?
If you're using ADFS, you could use the claims rule language in ADFS to add more claims to the user token. Alternatively on the Sharepoint side, you could write a custom claim provider, to create a new claim.
For instance, incoming claims:
- http://schema.xmlsoap.org/country = Germany
- http://schema.xmlsoap.org/ismanager = Yes
Outgoing claims:
- http://schema.xmlsoap.org/country = Germany
- http://schema.xmlsoap.org/ismanager = Yes
- http://schema.xmlsoap.org/combined = GermanManager
Edit: another option: buy a third-party tool, such as EmpowerID or some SaaS solution, to do the merging for you.
