ADFS. Third Party True Claim Rule needed to return `domain\user`

Tim

5/7/23, 6:03 PM

I have configured Claims Provider Trust in ADFS and I am getting only Email in NameID. I can not make changes to Third party Claims Provider Trust, so I have to get WindowsAccountName using the Email Address, which I received in NameID from Third Party IDP and forward it to Outlook Web Access (on-premise).

I've found that when I use the following Claim Rule, sign-in works, but only if the user's UPN and email address match. If there are differences between them (e.g. sAMAccountName=jdoe; [email protected]; Email=Jonathan.Doe@contoso.com), the value forwarded to Exchange causes an error to be thrown.

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] == "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"]
 => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer = "AD AUTHORITY", OriginalIssuer = c.OriginalIssuer, Value = regexreplace(c.Value, "(?<user>[^\@]+)\@(.+)", "contoso\${user}"), ValueType = c.ValueType);

How can I look up a user via their email address, and return theirWindowsAccountName in domain\username format?

0 + 0

exchange

adfs

Score:1

Server

Tim

5/11/23, 8:16 PM

If anyone runs into this issue. You need two rules.

Rule #1: sAMAccountName to temp This tells ADFS to look in ActiveDirectory and return any accounts where the UPN or Email address matches. Then the rule stores the value into a temporary variable which we'll use in the next rule.

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] == "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"]
 => issue(store = "Active Directory", types = ("claims:temp/attribute1"), query = "(&(objectCategory=person)(objectClass=user)(|(userPrincipalName={0})(mail={0})));sAMAccountName;contoso\adfs_service_account", param = c.Value);

NB. The contoso\adfs_service_account is important. ADFS needs this to auto-discover a Domain Controller. Use ANY AD account, just so long as it is a real account.

Rule #2: temp to WindowsAccountName The above rule only returns the sAMAccountName, not the domain. In my case I only had one domain. As such, I hardcoded it below.

c:[Type == "claims:temp/attribute1"] => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer = "AD AUTHORITY", OriginalIssuer = "https://contoso.verify.ibm.com/saml/sps/saml20ip/saml20", Value = "contoso\" + c.Value);

0 + 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: ADFS. Third Party True Claim Rule needed to return `domain\user`

TH: ADFS จำเป็นต้องมีกฎการอ้างสิทธิ์จริงของบุคคลที่สามเพื่อส่งคืน 'โดเมน\ผู้ใช้'

RO: ADFS. Regulă de revendicare adevărată a terților este necesară pentru a returna „domeniul\utilizator”.

RU: АДФС. Чтобы вернуть `домен\пользователь`, необходимо третье лицо в правиле True Claim.

VI: ADFS. Cần có Quy tắc xác nhận quyền sở hữu thực sự của bên thứ ba để trả về `miền\người dùng`

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.