AlignedDev
source link: https://www.aligneddev.net/blog/2021/adfs20-localdomains/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Getting local domain claims through ADFS 2.0
I don’t have much time, so this is a short post.
I had to setup ADFS 2.0 to pass claims. Hopefully, someone will figure out how to update that version someday :-).
We found that the built in edit claims works well for global domains, but they weren’t coming through for local domains.
I found one post on the internet and it had a great comment at the bottom. Unfortunately, it didn’t work. A few hours and after calling a friend, he spotted the issue.
I’ve added a comment to that post and decided to share it here as well.
Thanks @Andrei for the post. I wouldn’t have gotten this to work without you. It took me awhile, but I got it to work after getting help. The ../ in your example through me off for awhile. Here’s what I ended up with.
Click edit claims on the trust.
Add 2 new Send Claims using a custom role The first: Name: Custom - DN
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> add(store = "Active Directory", types = ("http://temp/dn"), query = ";distinguishedName;{0}", param = c.Value);
The second: Name: Custom - Groups
c1:[Type == "http://temp/dn"]
&& c2:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/claims/Group"), query = "(member:1.2.840.113556.1.4.1941:={0});name;{1}", param = c1.Value, param = c2.Value);
My app is expecting http://schemas.xmlsoap.org/claims/Group, so I changed that and used this custom rule to transform it to that.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK