Search

Skip to end of metadata
Go to start of metadata

If you are migrating from a product that normalised the user identifier it received from LDAP, you will want to do the same with ADFS if you are intending to keep personalisations by maintaining the end-user's targetedIDs.

To do so you can now ask the service desk to turn on case normalisation for your connection's unique identifier.

You no longer need to use the method detailed below, but we've left it here in case it's useful or if you prefer to add a custom rule to the claims issuance policy.



In your ADFS management console...

  1. go to the relying party trust you have set up for OpenAthens

  2. select the Edit Claim Issuance Policy option

  3. Add a new rule

  4. Select 'Send Claims Using a Custom Rule' from the drop down

  5. Give it a name and past the following into the custom rule box:


    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/theSourceClaim"]
     => issue(Type = "claimNameToOutput", Value = RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(c.Value, "A", "a"), "B", "b"), "C", "c"), "D", "d"), "E", "e"), "F", "f"), "G", "g"), "H", "h"), "I", "i"), "J", "j"), "K", "k"), "L", "l"), "M", "m"), "N", "n"), "O", "p"), "P", "p"), "Q", "q"), "R", "r"), "S", "s"), "T", "t"), "U", "u"), "V", "v"), "W", "w"), "X", "x"), "Y", "y"), "Z", "z"));
    
    
  6. You will need to edit two things in the above rule:

    1. Where is says "http://schemas.microsoft.com/ws/2008/06/identity/claims/theSourceClaim", change this to be the similarly formed attribute that caries the data you used with your old system as the user identifier. There is a list of these in ADFS under Service > Claim Descriptions. Common ones are be http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname (saMAccountName) and  http://schemas.microsoft.com/ws/2008/06/identity/claims/upn (user principal name).

    2. Where it says  "claimNameToOutput" set the name of the claim you want to pass to OpenAthens. This could be the same as the source claim (e.g. http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname), or could be something like "oa_unique"


  7. Save and make sure it is lower down the list than anything else that might output the same claim name


FAQ

That rule seems... long?

Unfortunately ADFS rules don't have commands such as lower or upper, or full regex support. 

What if I want it normalised to upper case?

Swap the letters around - e.g. ("a", "A"), "b", "B"). etc... 

Is it the same in Azure?

The rule will be the same, but the interface may be different.