locked
ADFS change Audience attribute using claim rule? RRS feed

  • Question

  • Is there a way to use a transform rule to change what is sent for the field in a SAML 2.0 token using ADFS 4.0?

    We have a RP Trust setup in ADFS with the identifier of 'https://SP1/app'. The SAML token generated has the following (as expected).

    <AudienceRestriction> <Audience>https://SP1/app</Audience> </AudienceRestriction>

    We have a production and training environment we have to access with a vendor (there's a custom claim where we send over a unique code to identify the environment). The problem is I cannot create a second Trust with the same identifier. If I change the identifier it is rejected by the vendor (SP). We have one ADFS farm, they have one SSO endpoint.

    I was wondering if within ADFS I could setup another Trust, set the identifier to 'https://SP1/app1' then use a transform rule to modify the identifier to https://SP1/app' so that in the SAML token the Audience will be https://SP1/app (and NOT https://SP1/app1).

    The SSO is initiated by the idP so the vendor doesn't support SP initiated SSO.

    Thanks

    Thursday, February 22, 2018 8:01 PM