I have a system where we are using ADFS as identity provider to provide single sign on with WIF-based .NET appliacation. All works good and we are able to pass all claims as we need, for example here is the rule to pass the last name:
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname",
Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory",
types = ("http://example.com/identity/claims/portal/lastname"),
query = ";sn;{0}", param = c.Value);
However now, I need to add two rules that I have trouble with, first one is to pass SID and the other one is to pass SAM account name (domain\user). They do not exist in the predefined list in the ADFS claim configuration wizard, and I was trying to write custom rules for those but I cannot get those to work.
Could you point me to reference how could I extract those properties if it is indeed possible?
I apologize If I messed up some nomenclature, I usually work on code-side of things foraying into AD only if I have no other choice 🙂 All corrections are welcome.
Best Answer
Pass the objectguid instead of SID to get a truly immutable ID for an AD object.
Something similar to: