There are two kinds of attributes in AD viz. single valued and multi-valued. The latter obviously can have more than one value.
You can see the difference when you try and edit them. Single-valued has a single textbook while multi-valued has a textbox to enter a new value and a multi-line textbox to show all the current values.
If you look at a multi-valued attribute in AD using ADUC, you'll see it displayed as:
value1;value2;value3
Note: This is different to a single value attribute that contains the string:
value1 value2 value3
That's a string of ONE value which is"value1 value2 value3".
How do you find them.
Use ldp, click on the Base DN of "CN=Schema ..." and then run:
(isSingleValued=FALSE)
I couldn't find any under the "objectClass=user" category but there are some if you have added the AD extension attributes to the schema i.e. the ones that start with "msExch ...".
All of which is a segue into how ADFS handles this. It produces a new claim (of the same type) for each value.
So if you took the above and mapped them to a claim of type Values, you'll get:
.../claim/Value = value3
.../claim/Value = value2
.../claim/Value = value1
Interestingly, it seems to display the values in reverse order but I wouldn't make any assumptions about the order the claims are presented.
Enjoy!
No comments:
Post a Comment