Adding Active Directory claims for Open ID to ADFS

Wait a minute, a blog about ADFS? But you only write about Office 365 and Azure?

When you can’t find the answer in a article or blog then you owe it to the world.

ADFS supports the use of Open ID Connect which is used by a lot of Web Apps because almost every authentication provider supports Open ID.

When Open ID is used it sends an ID access token to the authentication endpoint of the provider containing the username of the requester. The response will then only contain the user’s ID, the issuer ID, the openid claim and groups claim.

To allow OpenID to request more claims from AD you will need to adjust the following settings:

Allow the OpenID application or Web API to make use of allatclaims

Allow the allatclaims scope

This will extend the permissions of the application or API to allow extra claims in the identity token.

Then you need to tell the Active Directory claims provider to allow (as an example) E-mail address claims to be passed through to AD

Edit the claim rules for the AD claims provider
Let it pass through the Email Address claims

The last thing you need to do is add a transform rule with the type “Send LDAP attributes as claims”

Give the claim rule a name to identify it later and select the Attribute Store Active Directory.

Then, you need to select the LDAP Attribute E-Mail-Addresses (as an example)

This makes up all the necessary changes you need to make in ADFS in order to allow claims based on Active Directory.

Of course you can add extra claim types and passthroughs other than E-mail addresses.

This ends the blog post, please leave a comment if you have any further questions!

Dit vind je misschien ook leuk...

Geef een reactie

%d bloggers liken dit: