My client's claims issuance rules for a relying trust don't include this claim, but it ends up in the outgoing claims and crashes Okta:
http://schemas.microsoft.com/2012/01/devicecontext/claims/isregistereduser
They have this as a Custom Rule on the Relying Trust for my app:
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("userName", "firstName", "lastName", "email", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"), query = ";userPrincipalName,givenName,sn,mail,userPrincipalName;{0}", param = c.Value);
During an IdP-initiated SAML login, AD FS is sending http://schemas.microsoft.com/2012/01/devicecontext/claims/isregistereduser as well. It appears to be related to device registration, Device Context, and AD FS MFA.
The customer uses these claims for other Relying Trusts, so I can't remove them entirely.
Is there a way to disable passing through these claims on a specific Relying Trust?
How can I remove or delete a specific outgoing claim?
Best Answer
You don't control the ADFS you're talking about, do you? It's a third party's one (being the third party the client which you're developing an app for), isn't it?
ADFS lets you (resp. the admin) define several Relying Party Trusts (RPT). You can then define individual Issuance Transform Rules for each RPT. So if there's a distinct RPT defined for your app, then stopping the unwanted claim from being issued should be as simple as removing that claim from the Issuance Transform Rules of the RPT defined for your app.
You mentioned that this claim is relevant for other relying parties. As long as there are other RPTs defined for those RPs (and the claim stays included in their Issuance Transform Rules), everything should be fine.
Do you have access to the complete Issuance Transform Rules for your app? Could you post it here (without disclosing confidential information)? Maybe this could help clarifying your case.