I don’t have much time, so this is a short post.
I had to setup ADFS 2.0 to pass claims. Hopefully, someone will figure out how to update that version someday :-).
We found that the built in edit claims works well for global domains, but they weren’t coming through for local domains.
I found one post on the internet and it had a great comment at the bottom. Unfortunately, it didn’t work. A few hours and after calling a friend, he spotted the issue.
I’ve added a comment to that post and decided to share it here as well.
Thanks @Andrei for the post. I wouldn’t have gotten this to work without you. It took me awhile, but I got it to work after getting help. The ../ in your example through me off for awhile. Here’s what I ended up with.
Click edit claims on the trust.
Add 2 new Send Claims using a custom role The first: Name: Custom - DN
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> add(store = "Active Directory", types = ("http://temp/dn"), query = ";distinguishedName;{0}", param = c.Value);
The second: Name: Custom - Groups
c1:[Type == "http://temp/dn"]
&& c2:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/claims/Group"), query = "(member:1.2.840.113556.1.4.1941:={0});name;{1}", param = c1.Value, param = c2.Value);
My app is expecting http://schemas.xmlsoap.org/claims/Group , so I changed that and used this custom rule to transform it to that.
Please consider using Brave and adding me to your BAT payment ledger. Then you won't have to see ads! (when I get to $100 in Google Ads for a payout, I pledge to turn off ads)
Also check out my Resources Page for referrals that would help me.