CODEWITHSUNDEEP
adfsadfs3.0
CitizenRon
CitizenRon

Reputation: 895

Configure ADFS Relying Party SAML response to include "NameFormat" in Attributes

I have an older ADFS system running on Server 2012 R2. We're trying to configure a IDP initiated relying party trust based on the Service Provider's specifications so that the outgoing SAML response looks like this:

    <Attribute Name="Company" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <AttributeValue>ABCD1234</AttributeValue>
    </Attribute>
    <Attribute Name="Group" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <AttributeValue>Basic</AttributeValue>
    </Attribute>
        <Attribute Name="UserName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
    <AttributeValue> [email protected] </AttributeValue>
    </AttributeStatement>

However, after configuring a Relying Party Trust and associated Claim Rules in ADFS, our outgoing SAML response is missing the "NameFormat" part and looks like this:

    <Attribute Name="Company">
        <AttributeValue>ABCD1234</AttributeValue>
    </Attribute>
    <Attribute Name="Group">
        <AttributeValue>Basic</AttributeValue>
    </Attribute>
    <Attribute Name="UserName">
        <AttributeValue>[email protected]</AttributeValue>
    </Attribute>
</AttributeStatement>

The three Claim Rules that make the response are:

 => issue(Type = "Company", Value = "ABCD1234");

 => issue(Type = "Group", Value = "Basic");

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
 => issue(store = "Active Directory", types = ("UserName"), query = ";mail;{0}", param = c.Value);

How can I configure things to include the "NameFormat" part in the outgoing attributes? The SP states that it's mandatory to include them.

Upvotes: 0

Views: 746

Answers (1)

rbrayb
rbrayb

Reputation: 46720

You might be able to do this with "Properties".

e.g.

c:[Type == "http://mycompany/internal/sessionid"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/namequalifier"] = http://xxx/adfs/services/trust, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "sp_test");

More here and here.

Upvotes: 1

Related Questions