Summary
The following is a ADFS claim for the FooBar client’s application.
@RuleTemplate = “LdapClaims” @RuleName = “AD Attributes”
c:[Type == “http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname”, Issuer == “AD AUTHORITY”] =>
issue( store = “Active Directory”,
types = ( “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier”,
“user.firstName”, “user.lastName”), query = “;sAMAccountName,givenName,sn;{0}”, param = c.Value);
@RuleTemplate = “EmitGroupClaims” @RuleName = “Contoso-CoolGroup-Admin”
c:[Type == “http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid”, Value == “S-8-8-88-8888888888-888888808-80888888-888888”, Issuer == “AD AUTHORITY”] =>
issue(Type = “http://schemas.microsoft.com/ws/2008/06/identity/claims/role”, Value = “Contoso-CoolGroup-Admin”, Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, ValueType = c.ValueType);
@RuleTemplate = “EmitGroupClaims” @RuleName = “Contoso-CoolGroup-SSO”
c:[Type == “http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid”, Value == “S-9-9-99-9999999999-999999909-90999999-999999”, Issuer == “AD AUTHORITY”] =>
issue(Type = “http://schemas.somevendor.com/ws/2021/10/identity/AccessGroup”, Value = “Contoso-CoolGroup-SSO”, Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, ValueType = c.ValueType);
Explanation of the above rule:
- AD Attributes Rule:
- Template: LdapClaims
- Name: AD Attributes
- Condition: If the incoming claim type is a Windows account name issued by AD AUTHORITY.
- Action: Issue new claims for the user’s name identifier, first name, and last name by querying the Active Directory with the user’s sAMAccountName, givenName, and sn attributes.
- Template: LdapClaims
- Contoso-CoolGroup-Admin Group Claim Rule:
- Template: EmitGroupClaims
- Name: CSOC-SG-CineNet-Admin
- Condition: If the incoming claim type is a group SID with a specific value, indicating membership in the Contoso-CoolGroup-Admin group, issued by AD AUTHORITY.
- Action: Issue a role claim with the value Contoso-CoolGroup-Admin, carrying over the issuer and original issuer from the incoming claim.
- Contoso-CoolGroup-SSO Group Claim Rule:
- Template: EmitGroupClaims
- Name: Contoso-CoolGroup-SSO
- Condition: If the incoming claim type is a group SID with a different specific value, indicating membership in the Contoso-CoolGroup-SSO group, issued by AD AUTHORITY.
- Action: Issue an access group claim with the value Contoso-CoolGroup-SSO, carrying over the issuer and original issuer from the incoming claim.
SAML will have following Claim(Value) pairs in the payload. The same should be generated for Entra ID SSO claim.
| Claim | Value |
| http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier | UserPrincipalName |
| user.firstName | givenName |
| user.lastName | sn |
| http://schemas.microsoft.com/ws/2008/06/identity/claims/role | Contoso-CoolGroup-Admin |
| http://schemas.somevendor.com/ws/2021/10/identity/AccessGroup | Contoso-CoolGroup-SSO |
Step By Step Claims in Entra ID.
#1 Create an enterprise application in the Entra ID
#2 Create Single Sign-on Claims rules.
#3 Using the Application ID go to the App registration of the Enterprise Application.
#4 Create the Roles as specified in the claims rules. E.g. CSOC-SG-CineNet-Admin and CSOC-SG-CineNet-SSO
#5 go to the enterprise application to add the above two groups and assign the roles respectively.
# 6 go to Single Sign-On to add the two claims with “user.assignedroles” attribute
Conclusion
The above method is for setting the roles claims for the Entra ID similar to ADFS.
ADFS claims rules (Very good article)
Tips and tricks with ADFS claims rules
Pankaj Surti's Blog 