Export (0) Print
Expand All

String Processing Attribute Store Example

Active Directory Federation Services 2.0

This topic provides an example attribute store that performs string processing on claim values. By using the String Processing Attribute Store, you can perform the following string manipulations on incoming claim values to Active Directory® Federation Services (AD FS) 2.0: convert all characters to upper case, convert all characters to lower case, or convert the string from UTF-8 encoding to base64 encoding.

Query Language and Claim Rules

The String Processing Attribute Store can accept any of the following query strings: “toUpper”, “toLower”, and “base64”. The query string is case-sensitive. A single parameter that contains the string to be converted must also be specified. After the String Processing Attribute Store is registered with your Active Directory® Federation Services (AD FS) 2.0 server, you can add custom claim rules to the Issuance Transform Rules for any of the configured relying party or claims provider trusts.

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"]
  => issue(store = "StringProcessing", types = ("http://example.com/upper"), query = "toUpper", param = c.Value);

In this example, a new claim of type http://example.com/upper is created from the incoming name claim by passing the claim value to the String Processing Attribute Store with a query string of “toUpper” to convert the name to upper case. By creating similar custom rules using the “toLower” and “base64” query strings, you can create claims like the following.

 

Claim Type Claim Value

http://example.com/upper

CONTOSO\BOB

http://example.com/lower

contoso\bob

http://example.com/base64

UkVETU9ORFxzdnl0cnU=

String Processing Attribute Store Implementation

The following code implements the String Processing Attribute Store.

//-----------------------------------------------------------------------------
//
// THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
// ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO
// THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
// PARTICULAR PURPOSE.
//
// Copyright (c) Microsoft Corporation. All rights reserved.
//
//
//-----------------------------------------------------------------------------

using System;
using System.Collections.Generic;
using System.Text;

using Microsoft.IdentityModel.Threading;
using Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore;

namespace StringProcessingAttributeStore
{
    public class StringProcessingAttributeStore : IAttributeStore
    {
        #region IAttributeStore Members

        public IAsyncResult BeginExecuteQuery( string query, string[] parameters, AsyncCallback callback, object state )
        {
            if ( String.IsNullOrEmpty( query ) )
            {
                throw new AttributeStoreQueryFormatException( "No query string." );
            }

            if ( parameters == null)
            {
                throw new AttributeStoreQueryFormatException( "No query parameter." );
            }

            if (parameters.Length != 1)
            {
                throw new AttributeStoreQueryFormatException("More than one query parameter.");
            }

            string inputString = parameters[0];

            if ( inputString == null )
            {
                throw new AttributeStoreQueryFormatException( "Query parameter cannot be null." );
            }

            string result = null;

            switch ( query )
            {
            case "toUpper":
                {
                    result = inputString.ToUpper();
                    break;
                }
            case "toLower":
                {
                    result = inputString.ToLower();
                    break;
                }
            case "base64":
                {
                    // Assume that input string is in UTF-8 form.
                    result = Convert.ToBase64String( Encoding.UTF8.GetBytes( inputString ) );
                    break;
                }
            default:
                {
                    throw new AttributeStoreQueryFormatException( "The query string is not supported." );
                }
            }
            string[][] outputValues = new string[1][];
            outputValues[0] = new string[1];
            outputValues[0][0] = result;

            TypedAsyncResult<string[][]> asyncResult = new TypedAsyncResult<string[][]>( callback, state );
            asyncResult.Complete( outputValues, true );
            return asyncResult;
        }

        public string[][] EndExecuteQuery( IAsyncResult result )
        {
            return TypedAsyncResult<string[][]>.End( result );
        }

        public void Initialize( Dictionary<string, string> config )
        {
            // No initialization is required for this store.
        }

        #endregion
    }
}


To build the sample, both Windows Identity Foundation (WIF) v1.0 and AD FS 2.0 must be installed on the development computer. Compile the sample code into a class library assembly (you will need to add references to the Microsoft.IdentityModel and Microsoft.IdentityServer.ClaimsPolicy assemblies to your project). For the purposes of this example, make sure the assembly is named StringProcessingAttributeStore.

After you have built the class library, either copy it to the AD FS 2.0 installation folder (usually %Program Files%\Active Directory Federation Services 2.0) on the AD FS 2.0 server, or register it in the global assembly cache (GAC).

Finally, register the attribute store with AD FS 2.0 by using either the management console or the Windows PowerShell command-line. Set the display name to StringProcessing. The class name should be set to according to where you installed the assembly. For example, if you copied the assembly to the AD FS 2.0 installation directory, the class name should be set to StringProcessingAttributeStore.StringProcessingAttributeStore, StringProcessingAttributeStore (class name, assembly name format). For more information about registering a custom attribute store with AD FS 2.0, see Registering an Attribute Store Using the AD FS 2.0 Management Console.

You can now use the String Processing Attribute Store in issuance rules. You identify the attribute store in an issuance rule by using the store’s display name: in this case, “StringProcessing”.

See Also



Show:
© 2014 Microsoft