This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 7.000000000000001%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMD%3C/text%3E%3C/svg%3E)
I have configured Claims Provider Trust in ADFS and I am getting only Email in NameID. I can not make changes to Third party Claims Provider Trust, so I have to get WindowsAccountName using Email which I received in NameID from Third Party IDP and forward it to applications ahead.
Can someone please help me to write Claim Rules to support this?
(Context: Publishing OWA with ADFS)
Hi! According to this documentation you need to send the PrimarySID of the user as well as its UPN.
Assuming that a user exist in your forest with the UPN matching the NameID sent by the claim provider trust, you an just lookup the PrimarySID and the UPN. To look up the AD attribute store, you actually do not need the WindowsAccountName but just the domain name. Let's say the NetBIOS name of your domain is CONTOSO, then something of the sort would work.
Also, the suggested rules can be added at the end of the existing rules if you also have users from your own domain using it OWA. Else you can just remove the old rules and replace them with the following:
Rule 1: Take the NameID and make it the UPN
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn", Value = c.Value);
Rule 2: Look for the PrimarySID with that UPN
c1:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"] && c2:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"]
=> issue(store = "Active Directory", types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid"), query = "(&(objectCategory=person)(objectClass=user)(|(userPrincipalName={0})(&(mail={0})(!(userPrincipalName={0})))));objectSid;CONTOSO\random", param = c2.Value);
A couple of thing about this rule.
Really appreciate your answer. I will try and let you know the results. Just one question - Where should I put these rules? In Claims Provider or Relying Party?
At the relying party trust (as long as you have a pass through rule for the NameID claim at the claim provider trust level).
Got it. Thank you very much for your response.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 34%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EOS%3C/text%3E%3C/svg%3E)
Could you by any chance help me adapt this a little?
I'm in mostly the same situation as the OP: I get a SAML assertion from a third-party claims provider containing among other things the NameID with the value of "username". My RP needs this in the format "DOMAIN\username" as type "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname".
Using your excellent example above I can get ADFS to issue the right type of claim and populate it with the user's SID. How do I get it to populate the value with DOMAIN\username instead of the SID? I have only one domain so hardcoding isn't a problem for me.
My syntax thus far, 1000 char limit wouldn't let me post it all at once:
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", Value = c.Value);
c1:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"] && c2:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"] => issue(store = "Active Directory", types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"), query = "(&(objectCategory=person)(objectClass=user)(samaccountname={0}));objectSid;MYDOMAIN\random", param = c2.Value);
It would be, two rules:
c1:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"] && c2:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"]
=> add(store = "Active Directory", types = ("temp:claim/sam"), query = "(&(objectCategory=person)(objectClass=user)(userPrincipalName={0}));samaccountname;CONTOSO\random", param = c2.Value);
c:[Type == "temp:claim/sam"]
=> issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Value = "CONTOSO\" + c.Value);
And you can replace CONTOSO by your domain.
Worked like a charm, thanks so much!