Appendix C: AD FS Custom Filter Rule Example

This help topic provides an example of AD FS custom claim issuance rules that filter a user's group memberships, only issuing group claims that are relevant to Silhouette.

The example uses three issuance claim rules.

Rule 1 - Issue non-group claims

The first rule is created from the Send LDAP Attributes as Claims template. It issues Name Id, Given Name, Surname, and E-Mail Address. Notably it does not issue the Group claims.

Rule 2 - Add groups to claims

The second rule is a custom rule to add (not issue) group membership into the claim set. The custom rule uses the rule language.

Rule 3 - Issue a filtered set of group claims

The third rule uses the "Pass through or filter an incoming claim rule" template. It filters the claims added in rule two and issues them.

As an example, if all relevant AD groups being with 'SILHOUETTE' then enter 'SILHOUETTE' in the Starts with text box. If Rule 2 is adding 'longDomainQualifiedNames' then the starts with filter needs the long domain included, e.g. domain\SILHOUETTE.