Today I needed to create a claim rule in ADFS to send certain claims to users depending on their email address. The idea was to prevent people in certain email domains from getting claims they weren’t supposed to have.
I created a claim rule that ran regular expressions against the user’s email address and it worked fine in test, but in production, users were getting claims they weren’t supposed to have! I soon realised the reason: the casing of email addresses in our AD differs drastically. Some are in the form firstname.lastname@example.org, while others were john.smith@Contoso.Com. We pretty much found every type of casing possible.
It turns our that by default, regular expression matching in ADFS claims rules is case-sensitive, but it’s easy to switch the matching to case-insensitive using the information in the following Microsoft article:
Adding (?i) to the start of the regular expression forces case-insensitive matching, as in Microsoft’s example:
c:[type == "http://contoso.com/email", Value =~ "(?i)bob"] => issue (claim = c);
With this in place, everything worked as expected.