Configure SAML 2.0 with ADFS 2.0 to use User ID as identifier

lars-ake_bolk
Kilo Explorer

‎01-31-2014 01:01 AM

In the Wiki it is exemplified how to use the Email (email) field in the User (sys_user) table as the uniqe identifier between the user records in ServiceNow and the AD.

We tried to change this into using the User ID (user_name) field instead. - but we haven't gotten it to work.

 

The User ID field contains the AD account name, for example "labo01" for myself, just a simple character field.

From a ServiceNow configuration perspective it seems quite simple and straightforward - I guess most of the configuration work is performed at the ADFS. Unfortunately the ADFS team can't seem to be able to configure it properly...

 

Has anyone been able to successfully use the User ID (user_name) field to map with the AD/ADFS - is it possible? Any configuration hints (both in ServiceNow and in ADFS)?

 

Thanx! Lars-í…ke Bolk

Labels:
0 Helpfuls
  • 24,288 Views
8 REPLIES 8

WilliamHazelrig
Giga Contributor
In response to Lam_Hoang

‎08-13-2015 12:56 PM

Lars, the ServiceNow field name you are looking for is user_name (rather than user_id).



Despite the fact that you are not using an email address, you will probably find it simplest to stick with "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" as the NameID policy in ServiceNow, and use the emailAddress format for the corresponding record in ADFS; this is our configuration and it's working fine with ADFS 3.0 (Server 2012).


0 Helpfuls

francescodotti
Mega Expert

‎07-18-2017 02:34 AM

Hi Lars,


the solution is very simple.


Two steps:


1. In ServiceNow, open the Identity Provider and change the value of the field "User Field" from "email" to "user_name".


2. In ADFS, update the Claim Rule "Get LDAP Attributes", setting the "LDAP Attribute" to "SAM-Account-Name" (it was E-mail address). Do not change the "Outgoing Claim Type" (keep "E-Mail Address").



That's all folks !!



Checco



Please let me know if my comment was helpful and mark it accordingly (like, helpful, correct) so that others can be helped


Wim Kortsmit
Tera Contributor
In response to francescodotti

‎07-18-2017 10:33 AM

Hi Lars,



We also had to change the "authncontextcassref_method" to "urn:federation:authentication:windows"



Regards, Wim


0 Helpfuls

paulc1974
Tera Expert

‎09-04-2017 08:29 AM

Top marks for Francesco, that worked a treat for me.


0 Helpfuls