Map an Organization Custom Claim to an AD DS or AD LDS User Attribute (Custom Claim Extraction)

Applies To: Windows Server 2008

Whether you use Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS) as the Active Directory Federation Services (AD FS) account store for an account Federation Service, an organization custom claim maps to an administratively assigned Lightweight Directory Access Protocol (LDAP) attribute for the user that the claim identifies. This mapping is called a custom claim extraction.

For example, if the user is to be identified by position, you might create the organization custom claim Position and use the Title attribute to identify the user's position. If the Title attribute is present in the AD DS or AD LDS store, the corresponding organization custom claim is generated with the value of the Title attribute. Suppose that the Title attribute of the user account has the value Software Engineer. In this case, the organization custom claim Position is generated for this user with the value Software Engineer. If the Title attribute is not found for the user account, the Position claim is not generated for the user.

Perform this procedure in the account Federation Service.

Membership in Administrators, or equivalent, on the local computer is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

To map an organization custom claim to an AD DS or AD LDS user attribute

  1. Click Start, point to Administrative Tools, and then click Active Directory Federation Services.

  2. Double-click Federation Service, double-click Trust Policy, double-click My Organization, double-click Account Stores, right-click AD LDS or Active Directory, point to New, and then click Custom Claim Extraction.

  3. In the Create a New Custom Claim Extraction dialog box, in Attribute, type the LDAP attribute name for the user.

  4. In Map to this Organization Claim, select the organization custom claim to map to the attribute, and then click OK.

Additional references

Map an Organization Group Claim to an AD LDS Attribute and Value (Group Claim Extraction)

Map an Organization Group Claim to a Resource Group