ADFS retrieving claims using native client application

Question

ADFS retrieving claims using native client application

G_Niles 0

Hi,

We are currently attempting to write a test application in C#, which needs to retrieve certain claims upon authorization. No matter what we have tried, it seems we only receive the same 10 claims from the ADFS server (see image for the received claims) . We are using .NET Framework 4.8, is this a forum to ask code related questions? If so I could post what code we have.

Thank you.

G Niles

2 answers

Your answer

Answer 1

Anonymous

Hi @G_Niles , Welcome to Microsoft Q&A,

Make sure that the correct claim rules are configured in ADFS to publish the claims you need. You can check and configure by following the steps below:

Open the ADFS Management Console.
Navigate to Relying Party Trusts.
Select your application and click Edit Claim Rules.
In the Sending Rules tab, check the existing claim rules. If you need to add new claim rules, you can click the Add Rule button and follow the wizard.

Check your application's web.config or app.config file to make sure it is configured correctly. Pay special attention to the following points:

wsFederation configuration section
identityConfiguration configuration section

Make sure the claim type (URI) is correct. For example:

<system.identityModel>
  <identityConfiguration>
    <claimsAuthenticationManager type="YourNamespace.YourClaimsAuthenticationManager, YourAssembly" />
    <claimsAuthorizationManager type="YourNamespace.YourClaimsAuthorizationManager, YourAssembly" />
  </identityConfiguration>
</system.identityModel>

<system.identityModel.services>
  <federationConfiguration>
    <cookieHandler requireSsl="false" />
    <wsFederation passiveRedirectEnabled="true" issuer="https://your-adfs-server/adfs/ls/" realm="https://your-app" requireHttps="false" />
  </federationConfiguration>
</system.identityModel.services>

Best Regards,

Jiale

If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

G_Niles 0 Reputation points

2024-07-02T14:59:55.8133333+00:00
Hi Jiale,

Thanks you for the response, just for clarification when you said,

Navigate to Relying Party Trusts.

Select your application and click Edit Claim Rules.

In the Sending Rules tab,...

Could it be something along the lines of;

Relying Party Trusts->Edit Claims Issuance Policy->Add Rule ?

Thank you,

G Niles
Anonymous

2024-07-03T09:35:03.14+00:00

Hi @G_Niles ， Did you try it and see if it worked?
G_Niles 0 Reputation points

2024-07-03T14:57:15.88+00:00

Hi Jiale,

We have tried claims rules, claims provider trusts, and application rules to no avail. See attached image for the RelyingPartyTrusts image.

Thank you,

G Niles
Anonymous

2024-07-04T09:27:51.9266667+00:00

I'm not familiar enough with Active Directory Federation Services. The image you attached doesn't seem to show it.
G_Niles 0 Reputation points

2024-07-09T15:46:52.39+00:00

Hi Jiale,

Unfortunately, I do not see a 'Sending Rules' tab on our setup. We did create a rule in an attempt to retrieve objectGUID and transform it to PPID before sending, which we (our application) cannot see. We also created a 'Claims Provider Trust' (see attached image) for what it is worth.

Thank you,

G Niles

Anonymous

Make sure that the claim rules are configured correctly and that the rules can correctly convert objectGUID to PPID. You can use PowerShell commands to check and configure claim rules. For example:

# Get existing claim rules
Get-ADFSRelyingPartyTrust -Name "YourRelyingPartyTrustName" | Select -ExpandProperty IssuanceTransformRules

# Set claim rules
$rule = @'
@RuleName = "Transform objectGUID to PPID"
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/objectguid"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType);
'@
Set-ADFSRelyingPartyTrust -TargetName "YourRelyingPartyTrustName" -IssuanceTransformRules $rule

Verify the claims provider trust configuration Make sure that the claims provider trust is configured correctly and can publish the required claims correctly. You can check and set the claims provider trust using the following PowerShell commands:

# Get the existing claims provider trust
Get-ADFSClaimsProviderTrust -Name "YourClaimsProviderTrustName"

# Set the claims provider trust
Set-ADFSClaimsProviderTrust -TargetName "YourClaimsProviderTrustName" -IssuanceTransformRules $rule

G_Niles 0 Reputation points

2024-07-15T14:26:27.89+00:00

Thank you Jaile, we will try this.

Thank you,

G Niles
Anonymous

2024-07-18T09:48:56.33+00:00

Is there any update in this issue?
G_Niles 0 Reputation points

2024-07-18T18:03:22.7866667+00:00
Hi Jiale,

Yes, we attempted to no avail. We noticed with the following line that we received nothing back from the ADFS server

# Set the claims provider trust Set-ADFSClaimsProviderTrust -TargetName "YourClaimsProviderTrustName" -IssuanceTransformRules $rule

We changed IssuanceTransformRules to AcceptanceTransforRules, and received the same values that we were receiving earlier.

# Set the claims provider trust Set-ADFSClaimsProviderTrust -TargetName "YourClaimsProviderTrustName" -AcceptanceTransformRules $rule
G_Niles 0 Reputation points

2024-07-18T18:08:04.52+00:00

<Removed Duplicate Post>

Anonymous

Verify the claim rules

Make sure the claim rules themselves are correct. Here is an example rule for converting objectGUID to PPID:

$rule = @"
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/objectguid"]
 => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType);
"@

Check ADFS Relying Party Trust configuration

Make sure the claim rules are configured correctly in the Relying Party Trust of ADFS:

Set-ADFSRelyingPartyTrust -TargetName "YourRelyingPartyTrustName" -IssuanceTransformRules $rule

Verify ADFS Claim Provider Trust configuration

Make sure the accept transformation rules are configured correctly in the Claims Provider Trust:

Set-ADFSClaimsProviderTrust -TargetName "YourClaimsProviderTrustName" -AcceptanceTransformRules $rule

Answer 2

Josip Jurišić 6

Hi @G_Niles ,

There are default claims that are sent to the app if there are no additional claims configured via "Edit Claim Issuance Policy" in ADFS console.

If you need to configure any additional attribute to be provided for successful authentication/authorization, please feel free to configure it through "Edit Claim Issuance Policy" in ADFS console.

Also, when you're configuring additional claims, these claims needs to follow some "logic" in process, so please let me know which attributes you need to receive from AD, so I can help you with.

Best regards,

JJ

G_Niles 0 Reputation points

2024-07-15T14:28:11.26+00:00

Thank you for your interest Josip, here are the attributes we are striving to get.

for any object:

objectSid, objectGUID, sAMAccountName, sAMAccountType, whenChanged, objectCategory,

for users:

member, name, mail, initials, sn, givenName, displayName, description, userAccountControl,

for groups:

group, groupType, organizationalUnit.

Thank you,

G Niles

Share via

ADFS retrieving claims using native client application

2 answers

Your answer