Friday, January 18, 2013

ADFS : objectGUID as a claim

You may have a business requirement to pass some unique key to the application that is not readily identifiable or editable. There are two possibilities in AD viz. objectSID and objectGUID.

As per SID vs. GUID, objectGUID is the better choice because:

“globally unique identifier (GUID), which is a 128-bit value is unique not only in the enterprise but also across the world”   and
“the values of other object properties can change, but the object-GUID never changes. When an object is assigned a GUID, it keeps that value for life”. 

So you configure the claim in the normal LDAP attribute manner and when you look at the claims, you see: kzGVAByOYki4z7CdR2yecA==
WTF – that ain’t no GUID? The two equal signs at the end would seem to indicate Base64?

Mr. Google to the rescue and viola Issuing objectGUID as an ADFS Claim.

So lets test it out. Couldn’t be bothered to create a VS project just for this so the inestimable LINQPad to the rescue.


And the GUID at the bottom is indeed what is displayed in AD.



Unknown said...

Just wondering how on earth to get AD to issue an objectGUID claim in the first place? I can't see it when I go to add a rule for it. Any chance on walking me through it?

nzpcmad said...

Sure - no problem.

You are not restricted to the dropdown - refer

So just type in objectGUID and give the claim any URI you want.