Has anybody used SAM-account name for ADFS authentication.If so can you please provide LDAP Attribute?

ketan8 · ‎06-22-2016

You can configure this rule to send the value of LDAP attributes as claims. Select an attribute store from which to extract LDAP attributes. Specify how the attributes will map to the outgoing claim types that will be issued from the rule.

Claim rule name:Get LDAP Attributes

Attribute Store= Active Directory

Mapping of LDAP attributes to outgoing claim types:

LDAP Attribute = ?

Outgoing Claim Type = ?

You can configure this rule to map an incoming claim type to an outgoing claim type. As an option, you can also map incoming claim value to an outgoing claim value. Specify the incoming claim type to map to the outgoing claim type and whether the claim value should be mapped to a new claim value.

Claim Rule Name: Email to Name ID.

Transforming an Incoming Claim:

Incoming claim type:?

Outgoing Claim type:?

Outgoing name ID format:?

Note: Attached LDAP screen shots...

ketan8 · ‎06-22-2016

ADFS Options 1: Custom Claims Rules (Add Rule > Send Claims Using a Custom Rule):

RuleName = "Get Stripped sAMAccountName"

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]

=> issue(store = "Active Directory", types = ("urn:strippedaccountname"), query = ";sAMAccountName;{0}", param = c.Value);

RuleName = "Transform Stripped sAMAccountName to Name ID"

c:[Type == "urn:strippedaccountname"]

=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified");

ADFS Option 2: Claims Rules Template (Add Rule > Send LDAP Attributes as Claims, Transform an Incoming Claim):

RuleName = "Get Stripped sAMAccountName"

RuleName = "Transform Stripped sAMAccountName to Name ID"

Service Now:

- Multi-Provider SSO > Identity Providers > MultiSSO SAML > User Field: user_name

- Identity Providers > MultiSSO SAML > NameID Policy: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

- Multi-Provider SSO > Administration > Properties > The field … "User Identification": user_name

Here's the PowerShell for copying the claims rules from one trust to another in ADFS:

$existingRule = (Get-ADFSRelyingPartyTrust -Name 'sourceRuleName').IssuanceTransformRules

$claimRuleSet = New-ADFSClaimRuleSet -ClaimRule $existingRule

Set-ADFSRelyingPartyTrust -TargetName 'targetRuleName' -IssuanceTransformRules $claimRuleSet.ClaimRulesString

Community Alums · ‎11-23-2016

Hi Ketan,

Did you solved this ?

Thanks,
Ishan

benjaming · ‎03-08-2018

Were you able to get this functionality working? I am still struggling with the claims pass through

aaronsnyder · ‎04-03-2018

This is under the assumption you have the sAMAccountName mapped to the SN user_name field.

1.) Ensure the User Field on the IdP record reflects user_name
2.) Ensure the SSO property for Multiple Provider SSO is also set to user_name for the "User Identification" login page.
3.) NameID Policy field on IdP record should reflect: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

Get Ldap Claims (ADFS side)
1.)Attribute store = active directory
1a.) LDAP attribute = SAM-Account-Name | Outgoing claim type = Name ID
2.) Claim rule name: Name ID to Name ID
2a.) Incoming claim type = Name ID
2b.) Incoming name ID format = unspecified
2c.) Outgoing claim type: Name ID
2d.)Outgoing name ID format = unspecified
3.) Click radio button for "Pass trough all claim values"

Let me know if that helps.