Get started for free
Visual Studio Developer Center >
AD FS 2.0 - Custom claim rule

Proposed AD FS 2.0 - Custom claim rule

  • Wednesday, August 01, 2012 2:25 PM
     
     
    Sign In to Vote
    0

    I've been tasked to configure AD FS with one of our vendors, and two of the required LDAP attributes that must be passed is "lastname" and "firstname".  I did not see lastname and firstname in the default "LDAP Attribute" list (in the AD FS 2.0 snap-in), so I'm assuming I'll have to send claims from a custom rule, correct?  I know very little about custom claims, but it's the role of Claim Descriptions and how they relate to custom claims that confuses me.  I've read Technet articles on the role of claims and creating custom claim rules, but I would prefer guidance from someone who has real-life experience with these types of claims.

    Thanks!

    jason

    • Moved by AwinishMVP Wednesday, August 01, 2012 3:22 PM (From:Directory Services)
    •  
     

All Replies

  • Wednesday, August 01, 2012 3:21 PM
     
     
    Sign In to Vote
    0

    I would move this thread to a dedicated claim based authentication (ADFS) forum for better response on the topic.

    Awinish Vishwakarma - MVP

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

     
  • Wednesday, August 01, 2012 7:28 PM
     
     Proposed
    Sign In to Vote
    0

    You didn't see them because those are not the names of the AD attributes.

    The ones you want are:

    "lastname" = "Surname"

    "firstname" = "Given name"

    If you want a claim specifically called "firstname", then use something like http://yourcompany.com/identity/claims/firstname. But that's not the standard.

    To enter that claim, see ADFS : Selecting claim that's not in the default drop down

    • Proposed As Answer by nzpcmad1 Wednesday, August 01, 2012 7:50 PM
    •  
     
  • Wednesday, August 01, 2012 7:31 PM
     
     Proposed
    Sign In to Vote
    0

    Jason;

    There's no need for a custom claims rule, you can retrieve this from the LDAP Claims Rule Template "Send LDAP Attributes as Claims".

    Given-Name = FirstName
    Surname = LastName

    Thanks,

    Unique

    UG.

    • Proposed As Answer by uglover Wednesday, August 01, 2012 7:32 PM
    •  
     
  • Wednesday, August 01, 2012 8:53 PM
     
     
    Sign In to Vote
    0

    Interesting, I didn't realize it could be done that way.  So if I wanted to pass the Surname attribute as a "LastName" claim type, I would use the following?:


    • Edited by JE1977 Wednesday, August 01, 2012 8:55 PM
    •  
     
  • Wednesday, August 01, 2012 9:57 PM
     
     
    Sign In to Vote
    0

    Exactly so.

    In the ADFS MMC, if you click the top link (the one that says "AD FS 2.0"), you'll see "Edit Published Claims" on the right.

    You can add your "LastName" claim there and it will then be available in the drop-down.

     
  • Thursday, August 02, 2012 3:27 PM
     
     
    Sign In to Vote
    0

    Sounds good, thanks!

    With that said, is there any rhyme or reason to the naming convention for the Claim Descriptions?

    Basically what I'm asking, is there any difference between:

    http://contoso.com/identity/claims/LastName   or   http://contoso.com/LastName

     
  • Thursday, August 02, 2012 6:51 PM
     
     
    Sign In to Vote
    0

    No - the claim is just a string so can be anything you like.

    But it's a good idea to stick to the "standard" so that they look like claims and not some random URI.