Has anybody used SAM-account name for ADFS authentication.If so can you please provide LDAP Attribute?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎06-22-2016 08:20 AM
Has anybody used SAM-account name for ADFS authentication.If so can you please provide LDAP Attribute?
You can configure this rule to send the value of LDAP attributes as claims. Select an attribute store from which to extract LDAP attributes. Specify how the attributes will map to the outgoing claim types that will be issued from the rule.
Claim rule name:Get LDAP Attributes
Attribute Store= Active Directory
Mapping of LDAP attributes to outgoing claim types:
LDAP Attribute = ?
Outgoing Claim Type = ?
You can configure this rule to map an incoming claim type to an outgoing claim type. As an option, you can also map incoming claim value to an outgoing claim value. Specify the incoming claim type to map to the outgoing claim type and whether the claim value should be mapped to a new claim value.
Claim Rule Name: Email to Name ID.
Transforming an Incoming Claim:
Incoming claim type:?
Outgoing Claim type:?
Outgoing name ID format:?
Note: Attached LDAP screen shots...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎06-22-2016 02:00 PM
ADFS Options 1: Custom Claims Rules (Add Rule > Send Claims Using a Custom Rule):
RuleName = "Get Stripped sAMAccountName"
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("urn:strippedaccountname"), query = ";sAMAccountName;{0}", param = c.Value);
RuleName = "Transform Stripped sAMAccountName to Name ID"
c:[Type == "urn:strippedaccountname"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified");
ADFS Option 2: Claims Rules Template (Add Rule > Send LDAP Attributes as Claims, Transform an Incoming Claim):
RuleName = "Get Stripped sAMAccountName"
RuleName = "Transform Stripped sAMAccountName to Name ID"
Service Now:
- Multi-Provider SSO > Identity Providers > MultiSSO SAML > User Field: user_name
- Identity Providers > MultiSSO SAML > NameID Policy: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
- Multi-Provider SSO > Administration > Properties > The field … "User Identification": user_name
Here's the PowerShell for copying the claims rules from one trust to another in ADFS:
$existingRule = (Get-ADFSRelyingPartyTrust -Name 'sourceRuleName').IssuanceTransformRules
$claimRuleSet = New-ADFSClaimRuleSet -ClaimRule $existingRule
Set-ADFSRelyingPartyTrust -TargetName 'targetRuleName' -IssuanceTransformRules $claimRuleSet.ClaimRulesString

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎11-23-2016 06:05 AM
Hi Ketan,
Did you solved this ?
Thanks,
Ishan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎03-08-2018 01:10 PM
Were you able to get this functionality working? I am still struggling with the claims pass through
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎04-03-2018 12:39 PM
This is under the assumption you have the sAMAccountName mapped to the SN user_name field.
1.) Ensure the User Field on the IdP record reflects user_name
2.) Ensure the SSO property for Multiple Provider SSO is also set to user_name for the "User Identification" login page.
3.) NameID Policy field on IdP record should reflect: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
Get Ldap Claims (ADFS side)
1.)Attribute store = active directory
1a.) LDAP attribute = SAM-Account-Name | Outgoing claim type = Name ID
2.) Claim rule name: Name ID to Name ID
2a.) Incoming claim type = Name ID
2b.) Incoming name ID format = unspecified
2c.) Outgoing claim type: Name ID
2d.)Outgoing name ID format = unspecified
3.) Click radio button for "Pass trough all claim values"
Let me know if that helps.