ADFS - Issuance Authorization Ruleset error

Question

In our system, we have users registered from different domain (lets say their mail address are @gmail.com,@outlook.com,@yahoo.com). I have a requirement to restrict the user's access to RP based on the domain he comes from. For this setup, I tried to configure Issuance Authorization rule in ADFS (to allow users only from a particular domain) with the below rule

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", Value =~ "gmail.com$"]
 => issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "true");

I was passing email address claim through issuance authorization rule tab so I didn't initialized the input in the authorization ruleset as mentioned in the technet link (under Sending the execution output to the claims pipeline Section)

After the entire process has run for a give rule set (steps 1, 2, and 3), the newly issued outgoing claims (content of the output claim set) will be used as input to the next rule set in the claims pipeline. This allows for claims to flow from the output of one rule set to the input for another rule set, as shown in the following illustration.

But the authorization doesn't seem to work.

Answer 1

The claims configured in the first tab ( Issuance transform rules ) are not passed to the second tab (Issuance Authorization rules).

So we need to repeat the process again in the second tab (map emailaddresses -> emailaddress) as shown below.

Now the custom rule works perfectly.

If you need to add few more email domains to the acceptance criteria just use the "|" symbol:

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", Value =~ "yahoo.com$|gmail.com$"]
=> issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "true");