After you created the claims provider trust on your ADFS server for the third-party
ADFS server, you must configure what claims the latter must forward to your ADFS
server.
Before you begin
The
AD FS Management window must be open on your ADFS server, and the claims
provider trust must be created for the third-party ADFS server.
What you should know
This task is part of the deployment process for claims-based
authentication using ADFS based on a sample scenario.
To configure the claim rules for the third-party claims provider:
-
In the AD FS window, click , select the claims provider that corresponds to the third-party ADFS, and
click Edit Claim Rules in the Actions
pane.
The Edit Claims Rules window opens.
-
If no claim rule exists for UPN, add one.
-
Click Add Rule.
-
In the Claim rule template drop-down list, select
Pass Through or Filter an Incoming Claim, and click
Next.
-
Configure the rule and click Finish.
Claim rule name:
Enter a name that helps you remember the rule.
Incoming claim type:
Select UPN.
Pass through only claim values that match a specific email suffix value:
Select this option, and enter an email suffix value. For example:
CompanyXYZ.com.
BEST PRACTICE: It is recommended
to filter the claims coming from a third-party claims provider as a security
precaution, so that the third-party claims provider cannot send unexpected
values. This is done, for example, to prevent Company XYZ from pretending that
its users are from your company, and get elevated privileges. Pass
through all claim values should be avoided when dealing with
third-party claims providers.
-
If no claim rule exists for Group, add one.
-
Click Add Rule.
-
In the Claim rule template drop-down list, select
Pass Through or Filter an Incoming Claim, and click
Next.
-
Configure the rule and click Finish.
Claim rule name:
Enter a name that helps you remember the rule.
Incoming claim type:
Select Group.
Pass through only claim values that start with a specific value:
Select this option, and enter a start value. For example:
CompanyXYZ\ or CompanyXYZ.com\.
Ask your IT department to find out which form should be used.
-
Click Apply.