Configure SAML 2.0 with ADFS 2.0 to use User ID as identifier
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-31-2014 01:01 AM
In the Wiki it is exemplified how to use the Email (email) field in the User (sys_user) table as the uniqe identifier between the user records in ServiceNow and the AD.
We tried to change this into using the User ID (user_name) field instead. - but we haven't gotten it to work.
The User ID field contains the AD account name, for example "labo01" for myself, just a simple character field.
From a ServiceNow configuration perspective it seems quite simple and straightforward - I guess most of the configuration work is performed at the ADFS. Unfortunately the ADFS team can't seem to be able to configure it properly...
Has anyone been able to successfully use the User ID (user_name) field to map with the AD/ADFS - is it possible? Any configuration hints (both in ServiceNow and in ADFS)?
Thanx! Lars-í…ke Bolk
- Labels:
-
Service Mapping
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-13-2015 12:56 PM
Lars, the ServiceNow field name you are looking for is user_name (rather than user_id).
Despite the fact that you are not using an email address, you will probably find it simplest to stick with "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" as the NameID policy in ServiceNow, and use the emailAddress format for the corresponding record in ADFS; this is our configuration and it's working fine with ADFS 3.0 (Server 2012).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-18-2017 02:34 AM
Hi Lars,
the solution is very simple.
Two steps:
1. In ServiceNow, open the Identity Provider and change the value of the field "User Field" from "email" to "user_name".
2. In ADFS, update the Claim Rule "Get LDAP Attributes", setting the "LDAP Attribute" to "SAM-Account-Name" (it was E-mail address). Do not change the "Outgoing Claim Type" (keep "E-Mail Address").
That's all folks !!
Checco
Please let me know if my comment was helpful and mark it accordingly (like, helpful, correct) so that others can be helped
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-18-2017 10:33 AM
Hi Lars,
We also had to change the "authncontextcassref_method" to "urn:federation:authentication:windows"
Regards, Wim

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-04-2017 08:29 AM
Top marks for Francesco, that worked a treat for me.