In Saleforce – ADFS SSO with AD being IdP. With AD 'Username' being SAML User Id;
There are two type of users(standard users & portal users) in Salesforce.
For SSO of portal users; SAML assertion must contain two more parameters(with hard coded values).
For SSO of standard users; SAML assertion must NOT contain these parameters.
Is following solution possible to implement in AD?
"Create a new field on User Object. If it contains certain value, pass parameters. If there is no value, do not pass parameters."
OR
Two separate SSOs(one for each type of users) must be setup with same SP.
Is is possible to actually setup two SSOs with same SP in ADFS side?
Note:-
Totally unaware of AD, if question doesn't make sense, do point out; will try to rephrase.
Best Answer
Yes you can do the former.
You can define a new attribute(s) or use existing unused attributes on the user object. Extending schema is preferred if you don't have a purpose built attribute to store the data you intend to store. See http://msdn.microsoft.com/en-us/library/windows/desktop/ms676929(v=vs.85).aspx
Please note only use existing attributes if they are defined specifically for that purpose. If you re-use an attribute that currently unused but is later deemed necessary for other software, you may run into difficulties.
Then populate the attributes as intended.
Then you can use custom claim rules or even in the in-built rule template for extracting LDAP attributes and send claims. If the attribute is not populated, that LDAP query wont return data. Hence the specific claim wont get added/issued into the pipeline and wont get sent.
Start with http://blogs.technet.com/b/askds/archive/2011/10/07/ad-fs-2-0-claims-rule-language-primer.aspx to read up on claims rules. You can read follow up content as linked at the bottom for more syntax details.