locked
ADFS 2.0 E-mail address claim transformation RRS feed

  • Question

  • I currently have an ADFS 2.0 environment which we use to provide SSO to a bunch of external SaaS applications (Cisco WebEx, Workday, Service Now and Cisco Jabber to name a few) 

    The business I work for has been acquired and the default email addresses of all users are being changed. This will be causing issues to most (if not all) Relying Party as they all use the E-mail-Addresses claim as UserName or ID. 

    I did a test with one of the dev SaaS apps we use and modified an existing claim on the RPT from "Pass through all claim values" to "Replace incoming e-mail suffix claims with a new e-mail suffix" and it worked as expected using a test account.

    Is there a better way to handle this? I'd rather transform the E-mail Address attribute only once than doing it for every RPT (if it can be done!) 

    Thanks for all your help! Francis

    Wednesday, July 20, 2016 4:31 PM

All replies

  • The RP are all autonomous. I don't know of any global rule.

    The best way to do this is in AD itself.

    You can add this rule via to all the RP via PowerShell if that's easier.

    Wednesday, July 20, 2016 7:06 PM
  • Thanks for you answer nzpcmad1. Do you know if this could be done by adding a transform rule to the Claim Provider? (In our case Active Directory) I'm not sure of the relationship between the CP and the RP.

    Thanks,

    Francis

    Thursday, July 21, 2016 4:33 PM
  • Yes you can but I suspect that would be wrong.

    A CP is another IDP on another Identity repository so the email address would be for the other repository and for a completely different external domain.

    Thursday, July 21, 2016 7:09 PM