locked
ADLS and Custom Claim Rule RRS feed

  • Question

  • Hi,

    I am working on a solution, where, I want to query AD LDS using Email address and send Employee ID as claim.

    My requirement is to use Email address attribute value from the user's AD account as a query value in AD LDS. Ideally it uses Windows Account name. I verified this while checking event viewer and using Send Ldap attribute as a claim". 

    So in short, AD Account and AD LDS Account have the same Email Attribute value. AD LDS does not have samAccountname Attribute. I tried the below claim rule but it doesn't create or generates a Claim. I used Fiddler and can see that SAML Response is getting created but the Subject part does not have Name ID.

    1>

    c:[Type == " http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress ", Issuer == "AD AUTHORITY"]
    => issue(store = "LDS ", types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/employeeID"), query = "mail={0};employeeID", param = c.Value);

    NOTE:- If I use "Send Ldap attribute as claim" this works, since here i am using Active directory as a Store and it uses Windows Account name i:e samAccountname as query value.

    Any inputs will be highly appreciated.

    Regards,

    Avis


    Thursday, May 12, 2016 9:20 AM

Answers

All replies