We are a community college and I want to make a custom rule in ADFS based on OU membership.
This rule must send out value 'Employee' or 'Student' based on the OU the account are located in.
I can't use AD groups because there isn't any group containing all the accounts.
(Like Active, Future, Alumni etc. they are all separated, not my choice by the way)
According to this thread: https://social.technet.microsoft.com/Forums/en-US/762a4ab1-1649-442c-91a4-654ee7b3664f/limiting-adfs-20-to-an-org-unit?forum=winserverDS
I tried:
eduPersonAffiliation Student
c:[Type == "http://temp.org/adobjectdn",Value =~ "^.*(OU=Students,OU=OurDomain Users,DC=OurDomain,DC=local)$"] => issue(Type = "eduPersonAffiliation", Value = "Student", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, ValueType = c.ValueType);
eduPersonAffiliation Employee
c:[Type == "http://temp.org/adobjectdn",Value =~ "^.*(OU=Employees,OU=OurDomain Users,DC=OurDomain,DC=local)$"] => issue(Type = "eduPersonAffiliation", Value = "Employee", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, ValueType = c.ValueType);
Do I have to change that temp.org? Or must I define adobjectdn?
I checked the regex expression and that works.
I hope anyone can help me, thanks in advance!