Configure the ADFS relying party claim rules

Rversion finale: Australia

Mis à jour 12 mars 2026

1 minute de lecture

Edit the claim rules to enable proper communication with the instance.

Avant de commencer

Role required: sso_config_admin, business_rule_admin, script_include_admin

Procédure

Log into the ADFS server and open the management console.
Right-click the relying party trust and select Edit Claim Rules.
Click the Issuance Transform Rules tab.
Select Add Rules.
Select Send LDAP Attribute as Claims as the claim rule template to use.
Give the claim a name such as Get LDAP Attributes.

Set the Attribute store to Active Directory, the LDAP Attribute to E-Mail-Addresses, and the Outgoing Claim Type to E-mail Address.

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]  
=> issue(store = "Active Directory", 
types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"), 
query = ";mail;{0}", param = c.Value);

Select Finish.
Select Add Rules.
Select Transform an Incoming Claim as the claim rule template to use.
Give the Claim a name such as Email to Name ID.
Set the Incoming claim type to the Outgoing Claim Type in the previous rule.
For example, E-Mail Address.
Set the Outgoing claim type to Name ID and the Outgoing name ID format to Email.

Remarque :
These values must match the Name ID policy you define during SAML 2.0 configuration.

Select Pass through all claim values.

This claim rule should look similar to the following rule language.

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
 => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", 
Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, 
Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] 
= "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");

Click Finish.