How to get Subject from client certificate issued as a claim in ADFS

adfssamlx509

I'm using Certificate Based Authentication in ADFS 3.0 and need to get the Subject field from the client certificate issued as a claim, but it's not available as an incoming claim to ADFS.

When I enable auditing I can see that it's present in the caller identity as the following claim type:
http://schemas.microsoft.com/2012/12/certificatecontext/field/subject

But it doesn't get issued in the Issued identity, and thus is not available as an incoming claim to use in the Claims Rules.

Has anyone done this before? Can you tweak the incoming claims from client certificates?

Best Answer

I solved this by tweaking the [AdfsConfiguration].[IdentityServerPolicy].[Policies] table in the ADFS configuration database. There's a record that covers the inbound claims. On my database it's ID '88EDF726-83FA-E511-80C5-000D3AB14473' though I don't know if they're constant values or vary by deployment. You can tell which one it is as it's quite long and has the cert eku claim in.

I modified it to include the following rule:

@RuleTemplate = "PassThroughClaims"
@RuleName = "Pass through certificate Subject claim"
c:[Type == "http://schemas.microsoft.com/2012/12/certificatecontext/field/subject", Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"]
 => issue(claim = c);

Best Answer

Related Solutions

2K12 R2 ADFS 3 – IE Pass Through Authentication Fails on 2nd Login with 400

ADFS – Combining Claims from Provider Trusts and AD

Related Topic