I would like to send objectGUID
as a claim with AD FS 2.0 running on Windows Server 2012.
I know I can create Issuance Transform Rules for a Relying Party Trust, but how does AD FS 2.0 know about objectGUID
? Do I need to add a claim description for objectGUID
under AD FS\Service\Claim Descriptions?
Best Answer
The
objectGuid
LDAP attribute can be sent as the value of any claim by using "Send LDAP Attributes as Claims Rule" and specifyingobjectGuid
as the source attribute. ADFS has no specific knowledge of LDAP attributes, and if you were to extend your LDAP schema, you could use those just as easily as any other. The particular claim you must transform it to is mandated by the relying party.If you are just using it as the user's unique ID, you might send it as
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier
(Private Personal Identifier
), but you might also send it in a claim specific to your particular RP (which is when you would need to add a claim description).