Share via

ADFS Claims Provider not receiving username/email

Kushan Fernando 6 Reputation points
2022-10-13T11:24:53.117+00:00

GDay,

I have an on-prem ADFS setup as below with SAML2,

SP <=> ADFS <=> IDP

When the SP initiates an authentication, the client can redirect to the IDP (configured as a Claims Provider) and authenticate himself.

However, I need to pass any form of client identification with the redirection from ADFS to IDP.

I can receive the NameID in ADFS (from SP => ADFS) but I cannot make the ADFS pass it beyond that to the IDP.

I've tried setting up a static claims rule on Claims Provider to see if I can pass 'something', but with no success. 

=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Value = "******@company.com");

How do I get this working? I desperately need this for the SSO to work on my IDP side.

I'm ok with any sort of method/hacks/claim rule whatsoever.

Cheers.

Microsoft Security | Active Directory Federation Services
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Pierre Audonnet - MSFT 10,191 Reputation points Microsoft Employee
    2022-10-20T02:19:33.567+00:00

    You will need to following rules:

    • On your IDP, a rule that sends to AD FS the Username and the Email address
    • On AD FS:
      • On the Claim Provider Trust for your IDP, you need to create a rule that passes through the Username and the Email address claims
      • On the Relying Party Trust you need to create a rule that passes through the Username and the Email address claims

    The exact rules will depend on what you have configured on your IDP. If you know what your IDP is sending, we can help you creating all the pass-through rules.

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.