Hi,
I managed it to set the NameID element into a SAML 2.0 Assertion (using WebSSO) with the Claim NameIdentifier. The element will be added without any NameFormat. Is this possible in Genevas Beta2 or only in the final version.?

thanks,
-markus

Hi Markus,

You cannot directly set the name identifier format from extraction rule.

You can extract the mail from attribute store and put it to evaluation context (notice add instead of issue):

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
=>
add(
store = "Enterprise Active Directory User Account Store", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"),
query = "sAMAccountName={0};mail;{1}", param = regexreplace(c.Value, "(?<domain>[^\\]+)\\(?<user>.+)", "${user}"), param = c.Value);

And then create name identifier claim from emailaddress claim using following advanced rule:

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
=>
issue(
Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
Value = c.Value,
Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");

You have to set certain properties on the NameIdentifier claim - something like

---

Dominick Baier | thinktecture | http://www.leastprivilege.com

Hi,

thanks for the suggestion, but I mean withing the Claim Rule Editior in Geneva Server Beta2 and not within .Net Framework programming.

If I add a Claim to my Relying Party e.g.:

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
=> issue(store = "Enterprise Active Directory User Account Store", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"), query = "sAMAccountName={0};mail;{1}", param = regexreplace(c.Value, "(?<domain>[^\\]+)\\(?<user>.+)", "${user}"), param = c.Value);

then the Mailadress is added as SAML element NameID to the Assertions, but without any NameFormat. This means in SAML syntax "urn:oasis:names:tc:SAML:1.0:nameid-format:unspecified" and its wrong, therefore the questions:

How can I set "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" as NameFormat by changing the Claim above or with any other addional Claim withing the Claim Rules edition. I checked the Claim Rule Language "http://technet.microsoft.com/en-us/library/dd807118(WS.10).aspx" but dont understand how to add the NameFormat.

thanks,
-markus

Hi Markus,

You cannot directly set the name identifier format from extraction rule.

You can extract the mail from attribute store and put it to evaluation context (notice add instead of issue):

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
=>
add(
store = "Enterprise Active Directory User Account Store", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"),
query = "sAMAccountName={0};mail;{1}", param = regexreplace(c.Value, "(?<domain>[^\\]+)\\(?<user>.+)", "${user}"), param = c.Value);

And then create name identifier claim from emailaddress claim using following advanced rule:

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
=>
issue(
Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
Value = c.Value,
Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");

Hi,
thanks for your reply, with this code I manage it to set NameID element so that our SAML SP consumes the mail adress as defined by format.
regards,
-markus