locked
Pass domain\username to relying party from ADFS 3.0 RRS feed

  • Question

  • We've been told that we may need to pass the "domain\username" to a relying party from our ADFS 3.0 implementation but I'm not sure how this can be achieved as it doesn't appear to be an LDAP attribute that's available in AD?

    We normally use UPN or email address but have never been asked this before, any suggestions?

    Cheers for now

    Russell

    Friday, January 20, 2017 5:06 PM

Answers

  • Use a Transform rule.

    WindowsAccountName is Incoming.

    Outgoing is something from the drop-down or you can type a name into the field.

    e.g.

    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
     => issue(Type = "My claim type", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType);

    • Marked as answer by RSBurnell Tuesday, January 24, 2017 11:17 AM
    Sunday, January 22, 2017 8:51 PM

All replies

  • From memory, WindowsAccountName is in this form.

    So just a Pass Through or Transform rule from this to whatever claim you want.

    Sunday, January 22, 2017 6:02 PM
  • Thanks for the response but which AD LDAP attribute do I pass in order to see the domain\username?

    The WindowsAccountName is the outgoing claim type, but I'm not sure how to populate it with the required info from AD?

    Cheers for now

    Russell

    Sunday, January 22, 2017 8:31 PM
  • Use a Transform rule.

    WindowsAccountName is Incoming.

    Outgoing is something from the drop-down or you can type a name into the field.

    e.g.

    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
     => issue(Type = "My claim type", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType);

    • Marked as answer by RSBurnell Tuesday, January 24, 2017 11:17 AM
    Sunday, January 22, 2017 8:51 PM
  • You'll have to forgive my lack of knowledge but I'm fairly new to "custom rules" in ADFS.

    If I look at the Claim Rules for the Relying Party in question I can add a new rule and pick some options from the drop down list from AD but there's no option in there for anything that includes the "domain\username".

    I can see the attribute you're referring to in the Outgoing Claim Type but I'm not sure how to populate this with the required information from AD?

    Cheers for now

    Russell

    Sunday, January 22, 2017 10:58 PM
  • WindowsAccountName is not an attribute in AD.

    It's a default claim in ADFS made up of a number of elements.

    Just use it as input and output to whatever claim type you want.

    So e.g. output to:

    http://schemas.microsoft.com/ws/2008/06/identity/claims/userid

    which isn't an item in the drop-down but you can type it in.

    (The drop-down is actually editable!)

    Monday, January 23, 2017 12:08 AM
  • I'm still not sure how the "WindowsAccountName" gets populated if it's not from AD?

    I've only got the local AD to work with so where do the domain\username details come from?

    Sorry to be a pain

    Russell

    Monday, January 23, 2017 12:19 AM
  • What I meant was that there is no attribute in AD called WindowsAccountName.

    Behind the scenes, ADFS takes information from a number of AD attributes and builds up this dummy "attribute".

    So you can just use this to transform to whatever claim you want.


    Monday, January 23, 2017 5:55 PM
  • I think it should be the SAMACCOUNTNAME
    Monday, January 23, 2017 6:51 PM
  • I looked at that attribute in AD but it just contains the username (without the domain\ prefix).

    Cheers for now

    Russell

    Monday, January 23, 2017 7:25 PM
  • I think we're at crossed purposes here, I appreciate that there is a claim type called WindowsAccountName but my original question was is there any way to populate a claim with the users domainname\username from AD?

    Cheers for now

    Russell

    Monday, January 23, 2017 7:26 PM
  • What is the name of the claim that you want to contain domainname\username?

    This can be anything you want.

    In other words, the claim the application is going to use.

    • Edited by nzpcmad1 Monday, January 23, 2017 7:49 PM Expand
    Monday, January 23, 2017 7:48 PM
  • I think we're at crossed purposes here, I appreciate that there is a claim type called WindowsAccountName but my original question was is there any way to populate a claim with the users domainname\username from AD?

    Cheers for now

    Russell

    As nzpcmad1has explained already you can use WindowsAccountName to pass the Domain\Username as a claims to a Relying Party. This is not any attribute you can query via Active Directory, it's a claims that ADFS put together itself. So therefore you won't be able to use the "Send LDAP attrbutes as claims"-rule in ADFS to grab the information. (If you instead check the Claims Provider Trust and Active Directory you will find this rule called "Pass through all Windows account name claims" and thats what makes it available in ADFS for later use.)

    So the "only" solution to your question that I can think of is to create either a "Pass Through"-claim that send the claim WindowsAccountName in "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname". OR you can create a custom rule and specify this:

    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
     => issue(Type = “http://adatum.com/department”, Value = c.Value);

    Where "http://adatum.com/department" can be any claim type you would like, like URI or URN:OID.

    Monday, January 23, 2017 9:02 PM
  • Thanks for that, I was under the impression that a Pass Through rule was only applicable to claims being proxied from a Federation Partner. From what you've suggested I can just create a Pass Through rule with the WindowsAccountName in both parts of the rule?

    I'll modify my Relying Party to accept the claim and see what happens.

    Cheers for now

    Russell

    Tuesday, January 24, 2017 10:18 AM
  • That seems to have done the trick thanks.

    I created a new "Pass Through" rule with an incoming claim of "WindowsAccountName" and updated my relying party to accept the new claim.

    Logging onto the web application shows the claims and the new one with domain\username perfectly.

    Thanks again to you both for your assistance.

    Cheers for now

    Russell

    Tuesday, January 24, 2017 11:16 AM
  • can you please share custom claim rule in detailed what has been used by you. I have same requirement to federate one of the application with ADFS, need to pass the Domain\Username as a claim rule.

    have some difficulties in creating Custom claim rules, currently  "Send LDAP Attributes as Claims" claim rule was configured with below attributes

    LDAP Attribute Outgoing Claim Type
    SAM-Account-Name Name ID
    SAM-Account-Name username
    Given-Name firstName
    Surname lastName

    Monday, January 6, 2020 10:19 PM