Browse by Tags

Tagged Content List
  • Wiki Page: AD FS 2.0: Asserting the NameID Claim Type with Additional Properties

    Overview The SAML NameID claim type is a special claim type used to identify the principal of the session, and this claim type can be asserted containing only the value data, or you can also choose to assert additional NameID properties. Below, you will find a Claim Rule Language sample, which...
  • Wiki Page: Understanding Claim Rule Language in AD FS 2.0 & Higher

    Table of Contents Introduction Understanding Claim Sets General Syntax of the Claim Rule Language Condition Statements Issuance Statements Multiple Conditions Combining Values Aggregate Functions Using Regular Expressions Querying Attribute Stores SQL Attribute Stores LDAP Attribute Stores Links to Additional...
  • Wiki Page: AD FS 2.0: Selectively send group membership(s) as a claim

    You can send group membership as claims by using the built in templates Create a new rule, choose “Send LDAP Attributes as Claims” Choose Active Directory as the Attribute Store, and choose the LDAP Attribute “Token-Groups – Unqualified Names” and the claim type as “Group” This will send...
  • Wiki Page: AD FS 2.0: How to Migrate Claim Rules Between Trusts

    Overview This article demonstrates how to migrate claim rules from one trust in AD FS 2.0 to another trust in AD FS 2.0. This may be useful when you are creating multiple trust relationships which will utilize similar claim rules, or when you are migrating configuration data between test, staging...
  • Wiki Page: AD FS 2.0: Domain Local Groups in a claim

    Introduction The basic method for adding group memberships into claims is using Send LDAP Attributes as Claims and picking one of the tokenGroups options. This method works for global and universal groups, but will leave out any domain local groups. The primary reason for this is there is no intuitive...
  • Wiki Page: AD FS 2.0: Claims to work with shadow accounts

    Introduction When using AD FS 2.0, it may be beneficial to use shadow accounts in some situations. One reason may be that the service accesses back-end resources that require a Windows token. The Claim to Windows Token Service (c2WTS). This article is intended to focus on the AD FS 2.0 perspective...
  • Wiki Page: AD FS 2.0: Claims Are Missing From The Output Claim Set After A User's Name Has Changed

    Symptoms A user has previously authenticated via AD FS 2.0 The user's name has changed, such as samAccountName or UPN. After the name change, the user does not receive the expected output set of claims from AD FS 2.0 Cause The Local Security Authority...
Page 1 of 1 (7 items)
Can't find it? Write it!