Release eduPersonAssurance

The default rules for releasing eduPersonAssurance can be used if you have the full assurance information in an Active Directory attribute or if you have an Active Directory group for each assurance level.

But if you only store AL1|AL2|AL3 or 1|2|3 in the attribute, you need more logic to send both SWAMID AL information and Refeds Assurance Framework.

Below is an example where the default eduPersonAssurance rules are overwritten in Get-ADFSTkLocalTransformRules.ps1.
The param GenericSP and GenericUniversity is not used with the split function, but the param itself is needed. Any text will do.

In the example only one value is stored in the eduPersonAssurance attribute and the value can be any of the following:

• http://www.swamid.se/policy/assurance/al1 or 1 or AL1
•  http://www.swamid.se/policy/assurance/al2 or 2 or AL2
• http://www.swamid.se/policy/assurance/al3 or 3 or AL3

Insert the following in Get-ADFSTkLocalTransformRules.ps1:

$ALDefault="https://refeds.org/assurance,https://refeds.org/assurance/ID/unique,https://refeds.org/assurance/ID/eppn-unique-no-reassign,https://refeds.org/assurance/ATP/ePA-1m"
$AL1 = $ALDefault + ",http://www.swamid.se/policy/assurance/al1,https://refeds.org/assurance/IAP/low"
$AL2 = $AL1 + ",http://www.swamid.se/policy/assurance/al2,https://refeds.org/assurance/IAP/medium,https://refeds.org/assurance/profile/cappuccino"
$AL3 = $AL2 + ",http://www.swamid.se/policy/assurance/al3,https://refeds.org/assurance/IAP/high,https://refeds.org/assurance/profile/espresso"
 
$TransformRules.eduPersonAssurance = [PSCustomObject]@{
    Rule=@"
    @RuleName = `"Handle missing MFA for AL3`"
    NOT Exists([Type == `"urn:adfstk:mfalogon`"])
     => add(Type = "urn:adfstk:mfalogon:al3", Value = `"false`");
 
    @RuleName = `"Transform eduPersonAssurance (AL1)`"
    c:[Type == `"urn:mace:dir:attribute-def:eduPersonAssurance`", Value =~ `"(?i)(?:http:\/\/www.swamid.se\/policy\/assurance\/al1|1|AL1)`"]
     => issue(store = `"ADFSTkStore`", types = (`"urn:oid:1.3.6.1.4.1.5923.1.1.1.11`"), query = `";split;{0}`", param = `"GenericSP `", param = `"$AL1`", param = `"GenericUniversity`");
    @RuleName = `"Transform eduPersonAssurance (AL2)`"
    c:[Type == `"urn:mace:dir:attribute-def:eduPersonAssurance`", Value =~ `"(?i)(?:http:\/\/www.swamid.se\/policy\/assurance\/al2|2|AL2)`"]
     => issue(store = `"ADFSTkStore`", types = (`"urn:oid:1.3.6.1.4.1.5923.1.1.1.11`"), query = `";split;{0}`", param = `"GenericSP`", param = `"$AL2`", param = `"GenericUniversity`");
 
    @RuleName = `"Transform eduPersonAssurance (AL3)`"
    c1:[Type == `"urn:mace:dir:attribute-def:eduPersonAssurance`", Value =~ `"(?i)(?:http:\/\/www.swamid.se\/policy\/assurance\/al3|https:\/\/refeds.org\/assurance\/profile\/espresso|https:\/\/refeds.org\/assurance\/IAP\/high|3|AL3)`"]
&& c2:[Type == `"urn:adfstk:mfalogon`", Value == `"true`"]
     => issue(store = `"ADFSTkStore`", types = (`"urn:oid:1.3.6.1.4.1.5923.1.1.1.11`"), query = `";split;{0}`", param = `"GenericSP `", param = `"$AL3`", param = `"GenericUniversity`");
 
    @RuleName = `"Transform eduPersonAssurance (AL3 - AL2)`"
    c1:[Type == `"urn:mace:dir:attribute-def:eduPersonAssurance`", Value =~ `"(?i)(?:http:\/\/www.swamid.se\/policy\/assurance\/al3|https:\/\/refeds.org\/assurance\/profile\/espresso|https:\/\/refeds.org\/assurance\/IAP\/high|3|AL3)`"]
&& c2:[Type == `"urn:adfstk:mfalogon:al3`", Value ==`"false`"]
     => issue(store = `"ADFSTkStore`", types = (`"urn:oid:1.3.6.1.4.1.5923.1.1.1.11`"), query = `";split;{0}`", param = `"GenericSP `", param = `"$AL2`", param = `"GenericUniversity`");
"@
    Attribute="urn:mace:dir:attribute-def:eduPersonAssurance"
    AttributeGroup="Local rules"
    }