ADFS 2.0 E-mail address claim transformation

adfs

I currently have an ADFS 2.0 environment which we use to provide SSO to a bunch of external SaaS applications (Cisco WebEx, Workday, Service Now and Cisco Jabber to name a few)

The business I work for has been acquired and the default email addresses of all users are being changed. This will be causing issues to most (if not all) Relying Party as they all use the E-mail-Addresses claim as UserName or ID.

I did a test with one of the dev SaaS apps we use and modified an existing claim on the RPT from "Pass through all claim values" to "Replace incoming e-mail suffix claims with a new e-mail suffix" and it worked as expected using a test account.

Is there a better way to handle this? I'd rather transform the E-mail Address attribute only once than doing it for every RPT (if it can be done!)

Thanks for all your help!
Francis

Best Answer

I guess you get the email address of your users using a rule on your claim provider trust "Active Directory". What you could do is:

Create a new Claims Description, with this claim type for instance: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/wrongemailaddress

Replace your 2 rules:

AD CPT => get email from AD, put it in claim "emailaddress".
SaaS RPT => pass through claim "emailaddress".

With these 3:

AD CPT => get email from AD, put it in claim "WRONGemailaddress".
AD CPT => get claim "WRONGemailaddress",
          replace the email suffix,
          put the new value in a claim "emailaddress"
          (you can do all of this with a rule "Transform an Incoming Claim" I think)
SaaS RPT => pass through claim "emailaddress".

So your are only modifying the rules on one trust, your AD claim provider trust.

Related Solutions

Send NameID claim without encryption in ADFS 2.0

We had a customer with an issue connecting to our web application. We wanted to disable encryption to help debug what we were receiving. These are the steps they used to disable encryption on their ADFS 2.0 server:

Click Start
Click Administrative Tools
Click Windows PowerShell Modules

Then, at the Windows PowerShell command prompt, type the following:

set-ADFSRelyingPartyTrust –TargetName “target” –EncryptClaims $False

Issue multiple claims in a single rule

An ADFS rule is composed of a condition, the => token, a command (issue or add), and terminated with a semicolon. You cannot issue multiple literals per rule, but you can use powershell to make it easier to work with.

Instead of going in the UI, and going through that wizard 5 times, you can use Set-AdfsRelyingPartyTrust to set all of the rules at once.

Set-RelyingPartyTrust -TargetName SharePoint_Prod -IssuanceTransformRulesFile c:\drop\rules.txt

where rules.txt looks like

c:[Type == incomingClaim, Value =~ incomingMatch] => issue(Type = type1, Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = value1, ValueType = c.ValueType);
c:[Type == incomingClaim, Value =~ incomingMatch] => issue(Type = type2, Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = value2, ValueType = c.ValueType);
c:[Type == incomingClaim, Value =~ incomingMatch] => issue(Type = type3, Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = value3, ValueType = c.ValueType);
c:[Type == incomingClaim, Value =~ incomingMatch] => issue(Type = type4, Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = value4, ValueType = c.ValueType);
c:[Type == incomingClaim, Value =~ incomingMatch] => issue(Type = type5, Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = value5, ValueType = c.ValueType);

The difference relative to the UI? I used copy and paste.

Best Answer

Related Solutions

Send NameID claim without encryption in ADFS 2.0

Issue multiple claims in a single rule

Related Topic