Getting local domain claims through ADFS 2.0

February 26, 2021    DevOps Authentication

Getting local domain claims through ADFS 2.0

I don’t have much time, so this is a short post.

I had to setup ADFS 2.0 to pass claims. Hopefully, someone will figure out how to update that version someday :-).

We found that the built in edit claims works well for global domains, but they weren’t coming through for local domains.

I found one post on the internet and it had a great comment at the bottom. Unfortunately, it didn’t work. A few hours and after calling a friend, he spotted the issue.

I’ve added a comment to that post and decided to share it here as well.

Thanks @Andrei for the post. I wouldn’t have gotten this to work without you. It took me awhile, but I got it to work after getting help. The ../ in your example through me off for awhile. Here’s what I ended up with.

Click edit claims on the trust.

Add 2 new Send Claims using a custom role  The first: Name: Custom - DN

    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
     => add(store = "Active Directory", types = ("http://temp/dn"), query = ";distinguishedName;{0}", param = c.Value);

  The second: Name: Custom - Groups

    c1:[Type == "http://temp/dn"]
     && c2:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
     => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/claims/Group"), query = "(member:1.2.840.113556.1.4.1941:={0});name;{1}", param = c1.Value, param = c2.Value);

My app is expecting http://schemas.xmlsoap.org/claims/Group, so I changed that and used this custom rule to transform it to that.

ADFS 2.0 custom claim



comments powered by Disqus