How to write an ADFS claims rule for a custom Active Directory attribute

I worked a case recently for a customer that wanted to pass a custom Active Directory attribute as a claim. It’s actually easy to do and does not require a custom claim rule, but the answer is less than obvious.

To create a new Issuance Transform Rule on the relying party trust. Follow these steps:

Choose Add Rule

Use the Send LDAP Attributes as Claims template

Capture1

Name the rule and choose the Active Directory attribute store.

Capture2

Next, type the custom attribute name I the Ldap Attribute dropdown exactly as it appears in ADSI Edit or your favorite ldap browser of choice. Hit enter.

Capture3

You will notice that now if you choose the dropdown, the custom attribute is saved towards the bottom for future use.

Capture4

You can now map that attribute to any of the claim types built in to ADFS  – I happen to have chosen the “Name” claim type – and select Finish.

Capture5

That’s how to create an ADFS claims rule for your Active Directory custom attribute.  Deceptively easy.  Hope this helps.

Advertisements
Tagged with: ,
Posted in ADFS