ADFS retrieving claims using native client application

G_Niles 0

Hi,

We are currently attempting to write a test application in C#, which needs to retrieve certain claims upon authorization. No matter what we have tried, it seems we only receive the same 10 claims from the ADFS server (see image for the received claims) . We are using .NET Framework 4.8, is this a forum to ask code related questions? If so I could post what code we have.

Thank you.

G Niles

2 answers

Jiale Xue - MSFT 46,296 Reputation points Microsoft Vendor

2024-07-02T03:11:23.1366667+00:00
Hi @G_Niles , Welcome to Microsoft Q&A,

Make sure that the correct claim rules are configured in ADFS to publish the claims you need. You can check and configure by following the steps below:

Open the ADFS Management Console.

Navigate to Relying Party Trusts.

Select your application and click Edit Claim Rules.

In the Sending Rules tab, check the existing claim rules. If you need to add new claim rules, you can click the Add Rule button and follow the wizard.

Check your application's web.config or app.config file to make sure it is configured correctly. Pay special attention to the following points:

wsFederation configuration section

identityConfiguration configuration section

Make sure the claim type (URI) is correct. For example:

<system.identityModel> <identityConfiguration> <claimsAuthenticationManager type="YourNamespace.YourClaimsAuthenticationManager, YourAssembly" /> <claimsAuthorizationManager type="YourNamespace.YourClaimsAuthorizationManager, YourAssembly" /> </identityConfiguration> </system.identityModel> <system.identityModel.services> <federationConfiguration> <cookieHandler requireSsl="false" /> <wsFederation passiveRedirectEnabled="true" issuer="https://your-adfs-server/adfs/ls/" realm="https://your-app" requireHttps="false" /> </federationConfiguration> </system.identityModel.services>

Best Regards,

Jiale

If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Please sign in to rate this answer.
G_Niles 0 Reputation points

2024-07-02T14:59:55.8133333+00:00

Hi Jiale,

Thanks you for the response, just for clarification when you said,

Navigate to Relying Party Trusts.

Select your application and click Edit Claim Rules.

In the Sending Rules tab,...

Could it be something along the lines of;

Relying Party Trusts->Edit Claims Issuance Policy->Add Rule ?

Thank you,

G Niles

Jiale Xue - MSFT 46,296 Reputation points Microsoft Vendor

2024-07-03T09:35:03.14+00:00

Hi @G_Niles ， Did you try it and see if it worked?

G_Niles 0 Reputation points

2024-07-03T14:57:15.88+00:00

Hi Jiale,

We have tried claims rules, claims provider trusts, and application rules to no avail. See attached image for the RelyingPartyTrusts image.

Thank you,

G Niles

Jiale Xue - MSFT 46,296 Reputation points Microsoft Vendor

2024-07-04T09:27:51.9266667+00:00

I'm not familiar enough with Active Directory Federation Services. The image you attached doesn't seem to show it.

G_Niles 0 Reputation points

2024-07-09T15:46:52.39+00:00

Hi Jiale,

Unfortunately, I do not see a 'Sending Rules' tab on our setup. We did create a rule in an attempt to retrieve objectGUID and transform it to PPID before sending, which we (our application) cannot see. We also created a 'Claims Provider Trust' (see attached image) for what it is worth.

Thank you,

G Niles

Jiale Xue - MSFT 46,296 Reputation points Microsoft Vendor

2024-07-15T07:05:22.2833333+00:00

Make sure that the claim rules are configured correctly and that the rules can correctly convert objectGUID to PPID. You can use PowerShell commands to check and configure claim rules. For example:

# Get existing claim rules Get-ADFSRelyingPartyTrust -Name "YourRelyingPartyTrustName" | Select -ExpandProperty IssuanceTransformRules # Set claim rules $rule = @' @RuleName = "Transform objectGUID to PPID" c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/objectguid"] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType); '@ Set-ADFSRelyingPartyTrust -TargetName "YourRelyingPartyTrustName" -IssuanceTransformRules $rule

Verify the claims provider trust configuration Make sure that the claims provider trust is configured correctly and can publish the required claims correctly. You can check and set the claims provider trust using the following PowerShell commands:

# Get the existing claims provider trust Get-ADFSClaimsProviderTrust -Name "YourClaimsProviderTrustName" # Set the claims provider trust Set-ADFSClaimsProviderTrust -TargetName "YourClaimsProviderTrustName" -IssuanceTransformRules $rule

G_Niles 0 Reputation points

2024-07-15T14:26:27.89+00:00

Thank you Jaile, we will try this.

Thank you,

G Niles

Jiale Xue - MSFT 46,296 Reputation points Microsoft Vendor

2024-07-18T09:48:56.33+00:00

Is there any update in this issue?

G_Niles 0 Reputation points

2024-07-18T18:03:22.7866667+00:00

Hi Jiale,

Yes, we attempted to no avail. We noticed with the following line that we received nothing back from the ADFS server

# Set the claims provider trust Set-ADFSClaimsProviderTrust -TargetName "YourClaimsProviderTrustName" -IssuanceTransformRules $rule

We changed IssuanceTransformRules to AcceptanceTransforRules, and received the same values that we were receiving earlier.

# Set the claims provider trust Set-ADFSClaimsProviderTrust -TargetName "YourClaimsProviderTrustName" -AcceptanceTransformRules $rule

G_Niles 0 Reputation points

2024-07-18T18:08:04.52+00:00

<Removed Duplicate Post>

Jiale Xue - MSFT 46,296 Reputation points Microsoft Vendor

2024-07-22T12:01:33.2333333+00:00

Verify the claim rules

Make sure the claim rules themselves are correct. Here is an example rule for converting objectGUID to PPID:

$rule = @" c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/objectguid"] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType); "@

Check ADFS Relying Party Trust configuration

Make sure the claim rules are configured correctly in the Relying Party Trust of ADFS:

Set-ADFSRelyingPartyTrust -TargetName "YourRelyingPartyTrustName" -IssuanceTransformRules $rule

Verify ADFS Claim Provider Trust configuration

Make sure the accept transformation rules are configured correctly in the Claims Provider Trust:

Set-ADFSClaimsProviderTrust -TargetName "YourClaimsProviderTrustName" -AcceptanceTransformRules $rule
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Josip Jurišić 1 Reputation point

2024-07-15T08:59:31.2766667+00:00

Hi @G_Niles ,

There are default claims that are sent to the app if there are no additional claims configured via "Edit Claim Issuance Policy" in ADFS console.

If you need to configure any additional attribute to be provided for successful authentication/authorization, please feel free to configure it through "Edit Claim Issuance Policy" in ADFS console.

Also, when you're configuring additional claims, these claims needs to follow some "logic" in process, so please let me know which attributes you need to receive from AD, so I can help you with.

Best regards,

JJ
Please sign in to rate this answer.
G_Niles 0 Reputation points

2024-07-15T14:28:11.26+00:00

Thank you for your interest Josip, here are the attributes we are striving to get.

for any object:

objectSid, objectGUID, sAMAccountName, sAMAccountType, whenChanged, objectCategory,

for users:

member, name, mail, initials, sn, givenName, displayName, description, userAccountControl,

for groups:

group, groupType, organizationalUnit.

Thank you,

G Niles
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

ADFS retrieving claims using native client application

2 answers

Your answer