Getting local domain claims through ADFS 2.0

February 26, 2021    DevOps Authentication

Getting local domain claims through ADFS 2.0

I don’t have much time, so this is a short post.

I had to setup ADFS 2.0 to pass claims. Hopefully, someone will figure out how to update that version someday :-).

We found that the built in edit claims works well for global domains, but they weren’t coming through for local domains.

I found one post on the internet and it had a great comment at the bottom. Unfortunately, it didn’t work. A few hours and after calling a friend, he spotted the issue.

I’ve added a comment to that post and decided to share it here as well.

Thanks @Andrei for the post. I wouldn’t have gotten this to work without you. It took me awhile, but I got it to work after getting help. The ../ in your example through me off for awhile. Here’s what I ended up with.

Click edit claims on the trust.

Add 2 new Send Claims using a custom role  The first: Name: Custom - DN

	c:[Type == "", Issuer == "AD AUTHORITY"]
	 => add(store = "Active Directory", types = ("http://temp/dn"), query = ";distinguishedName;{0}", param = c.Value);

  The second: Name: Custom - Groups

	c1:[Type == "http://temp/dn"]
	 && c2:[Type == "", Issuer == "AD AUTHORITY"]
	 => issue(store = "Active Directory", types = (""), query = "(member:1.2.840.113556.1.4.1941:={0});name;{1}", param = c1.Value, param = c2.Value);

My app is expecting , so I changed that and used this custom rule to transform it to that.

ADFS 2.0 custom claim

Watch the Story for Good News
I gladly accept BTC Lightning Network tips at [email protected]

Please consider using Brave and adding me to your BAT payment ledger. Then you won't have to see ads! (when I get to $100 in Google Ads for a payout, I pledge to turn off ads)

Use Brave

Also check out my Resources Page for referrals that would help me.

Swan logo
Use Swan Bitcoin to onramp with low fees and automatic daily cost averaging and get $10 in BTC when you sign up.