I do a fair bit of ADFS so I know my way around it pretty well. But when I have to delve into the world of ADFS Transforms I wake up in cold sweats. Here's the business case....we need to take the SAMAccount name of a user and truncate it to only the first eight characters in length before passing it off as the NameID to a 3rd party application. So truncate jhowstoday to jhowstod. Simple right?

Why the eight character limit I hear you ask? No idea. Must have been written in DOS.


I thought this would be pretty straight forward, but no. There are some examples in the internet about truncating in an ADFS transform using regex but none, absolutely none worked for me. After coming up with such a blank and then flailing around from more then a handful of hours I thought I would add it here in case anyone else has to stumble through the hell I just put myself through.....


Also, it doesn't seem to appear that SAMAccount name is exposed in ADFS as an incoming option, but UPN is (at least in 2012 R2). So now I need two transform rules, so yay!


OK, here's the finished product, we'll pull apart each claim. The transform starts and the top and works down, so "1" is first and "2" is second and last. "2" is where the NameID will pop out of....

Image:ADFS Transformations how does one truncate? - also known as Regular Expressions are evil

Rule 1 - Extract SAMAccountName

c:[Type == "
http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> add(store = "Active Directory", types = ("temp:samaccountname"), query = ";sAMAccountName;{0}", param = c.Value);



In the above I essentially do an AD query and store the SAMAccount name in temp:samaccountname to I can get it in rule 2.


Rule 2 - Truncate to <= 8

c:[Type == "temp:samaccountname"]

=> issue(Type = "
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
Value = RegexReplace(c.Value, "^([a-zA-Z]{8})+.+", "$1"));


Rule 2 is interesting. I take the previously stored temp:samaccountname and pass it through the ADFS transform regex engine. I'm presuming your SAMAccount name is only letters here [a-zA-Z] so adjust accordingly. The regex (I hate regex) actually matches the first group (in regex that's everything between the parenthesis in the query so [a-zA-Z]{8}). So in the
jhowstoday example it matches the jhowstod. It then takes that group 1 value, jhowstod. and replaces the entire  original text, the $1 in that command. Finally the returned regex is assigned as a NameID and passed out as there are no more rules.

It's easier to visualize using an online regex editor. I use
https://regex101.com/. Here is the breakdown:

Image:ADFS Transformations how does one truncate? - also known as Regular Expressions are evil

It looks pretty simple, but trust me, it was far from. Hopefully this will someday help someone.
Darren Duke   |   September 25 2020 04:29:53 PM   |    securitty  adfs  saml    |  
  |   Next Document   |   Previous Document

Discussion for this entry is now closed.

Comments (0)

No Comments Found