Friday, January 17, 2014

ADFS : Multi-valued attributes from AD

There are two kinds of attributes in AD viz. single valued and multi-valued. The latter obviously can have more than one value.

You can see the difference when you try and edit them. Single-valued has a single textbook while multi-valued has a textbox to enter a new value and a multi-line textbox to show all the current values.

If you look at a multi-valued attribute in AD using ADUC, you'll see it displayed as:

value1;value2;value3

Note: This is different to a single value attribute that contains the string:

value1 value2 value3

That's a string of ONE value which is"value1 value2 value3".

How do you find them.

Use ldp, click on the Base DN of "CN=Schema ..." and then run:

(isSingleValued=FALSE)

I couldn't find any under the "objectClass=user" category but there are some if you have added the AD extension attributes to the schema i.e. the ones that start with "msExch ...".

All of which is a segue into how ADFS handles this. It produces a new claim (of the same type) for each value.

So if you took the above and mapped them to a claim of type Values, you'll get:

.../claim/Value =  value3
.../claim/Value =  value2
.../claim/Value =  value1

Interestingly, it seems to display the values in reverse order but I wouldn't make any assumptions about the order the claims are presented.

Enjoy!




No comments: