Friday, January 18, 2013

ADFS : objectGUID as a claim


You may have a business requirement to pass some unique key to the application that is not readily identifiable or editable. There are two possibilities in AD viz. objectSID and objectGUID.

As per SID vs. GUID, objectGUID is the better choice because:

“globally unique identifier (GUID), which is a 128-bit value is unique not only in the enterprise but also across the world”   and
“the values of other object properties can change, but the object-GUID never changes. When an object is assigned a GUID, it keeps that value for life”. 

So you configure the claim in the normal LDAP attribute manner and when you look at the claims, you see:

http://schemas.company.com/identity/claims/objectguid kzGVAByOYki4z7CdR2yecA==
WTF – that ain’t no GUID? The two equal signs at the end would seem to indicate Base64?

Mr. Google to the rescue and viola Issuing objectGUID as an ADFS Claim.

So lets test it out. Couldn’t be bothered to create a VS project just for this so the inestimable LINQPad to the rescue.

ScreenShot089

And the GUID at the bottom is indeed what is displayed in AD.

Enjoy!

4 comments:

Unknown said...

Just wondering how on earth to get AD to issue an objectGUID claim in the first place? I can't see it when I go to add a rule for it. Any chance on walking me through it?

nzpcmad said...

Sure - no problem.

You are not restricted to the dropdown - refer http://nzpcmad.blogspot.co.nz/2011/09/adfs-selecting-claim-thats-not-in.html.

So just type in objectGUID and give the claim any URI you want.

RandomGuy said...

What's the syntax look like in IssuanceTransformRules syntax. I have syntax below at the moment and I get the same error as you do.

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]=> issue(store = "Active Directory", types = ( "https://schemas.auth0.com/cip_oid"), query = ";objectGUID;{0}", param = c.Value);

nzpcmad said...

That syntax looks correct.

What error do you get? That it is returned in base64? That's expected.