ADFS sAMAccountName – How to Send Without Domain

adfssaml

I'm using ADFS and I need to send the sAMAccountName.

Currently using a "Transform an incoming claim" rule:
Incoming claim type: Windows account name
Outgoing claim type: Name ID
Outgoing name ID format: Email
(I know the format is actually wrong but thats the format the provider wants and it works)

Unfortunately the username is sent including the domain prefix, so e.g. "domain\username".
How can I get rid of "domain"?

I tried with transforming it via

    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
    => issue(Type = "sswindowsaccountname", Value = RegexReplace(c.Value, "^Domain\\", ""));

Unfortunately it doesn't work.

Does anybody know how I can resolve that? Thanks!

Best Answer

You can achieve this without a custom rule by creating a rule from the template Send LDAP Attributes as Claims and then transforming that claim as you already did.

Rule 1: Send LDAP Attributes as Claims
Attribute Store: Active Directory
Mapping 1 LDAP Attribute: SAM-Account-Name
Mapping 1 Outgoing Claim Type: samaccountname (Choose a name of your liking)

Rule 2: Transform an Incoming Claim
Incoming claim type: samaccountname (Use the name you chose in rule 1)
Outgoing claim type: Email Address (Don't know the exact english wording)
Option: Pass through all claim values

Due to the nature of how the wizard is built, ADFS will also send the intermediary claim from rule 1, but that shouldn't be a concern. If you create a custom rule, you can omit adding that claim, but that requires deeper knowledge of the syntax and raises complexity. Would not recommend unless you deal with SAML on a weekly basis.

Related Solutions

Configuring ADFS to pass SID as claim

Pass the objectguid instead of SID to get a truly immutable ID for an AD object.

Something similar to:

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
  => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"), query = ";objectGUID;{0}", param = c.Value);

How to get Subject from client certificate issued as a claim in ADFS

I solved this by tweaking the [AdfsConfiguration].[IdentityServerPolicy].[Policies] table in the ADFS configuration database. There's a record that covers the inbound claims. On my database it's ID '88EDF726-83FA-E511-80C5-000D3AB14473' though I don't know if they're constant values or vary by deployment. You can tell which one it is as it's quite long and has the cert eku claim in.

I modified it to include the following rule:

@RuleTemplate = "PassThroughClaims"
@RuleName = "Pass through certificate Subject claim"
c:[Type == "http://schemas.microsoft.com/2012/12/certificatecontext/field/subject", Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"]
 => issue(claim = c);

Best Answer

Related Solutions

Configuring ADFS to pass SID as claim

How to get Subject from client certificate issued as a claim in ADFS

Related Topic