How to extract application return URL and other custom parameters in AD FS 2.0 claim rules?
https://stackoverflow.com/questions/11010327
-
14-06-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
This is probably a very basic question about AD FS 2.0 claim rule design that I haven't found an answer to (newbie). I'm probably missing something very basic, but here goes.
I'm deploying a federation within a company. The company users will be able to browse to a web application A, B, C etc. Each app will have their own subdomain URL, e.g. app-a.company.org, app-b.company.org, etc. When the application redirects to its trusted STS landing page I want the return URL to be passed to the STS. In the STS claim rules I want to extract that return URL and perform a database lookup, e.g. for the current user and the application with URL "app-a.company.org" I want all roles that the user has in that application (e.g. admin, superuser, purchaser, whatever).
My questions are:
- How do I pass along the return URL to the STS?
- How do I write the claim rule? (I know how to make the database lookup and issue the results, but I don't know how to retrieve the return URL or any other custom parameter for that matter in a claim rule).
Cheers,
Linus
Solution
Now that I know a bit more I'm going to answer my own questions. Mostly this issue seems to be a confusion over terminology.
I was under the impression that I needed to create a global rule for all applications in the STS. This is not the case. Instead, it is possible to write rules for separate applications (these applications are known as Relying Party Trusts in AD FS terminology, i.e. an entity that trusts whatever claims the STS issues). The relation between the STS and the application is 1:1.
In my case I needed the app domain to serve as the unique identifier because I needed to query a database (aka Attribute Store) at a later point to get more attributes. Since application specific rules can be written and the relation between the STS and the app is 1:1, I simply created a rule with the domain name hardcoded.
So to answer my numbered questions above:
- No need to pass it along to the STS since the Relying Party Trust relation serves as the permanent connection between the two.
- Hardcode a simple unconditional issuance (or add) claim rule, i.e.
=> issue(type = "http://myclaims/appdomain", value = "app-a.company.org")
