Configuring claim rules for a third-party claims provider

After you created the claims provider trust on your ADFS server for the third-party ADFS server, you must configure what claims the latter must forward to your ADFS server.

Before you begin

The AD FS Management window must be open on your ADFS server, and the claims provider trust must be created for the third-party ADFS server.

What you should know

This task is part of the deployment process for claims-based authentication using ADFS based on a sample scenario.

To configure the claim rules for the third-party claims provider:

  1. In the AD FS window, click Trust Relationships > Claims Provider Trusts , select the claims provider that corresponds to the third-party ADFS, and click Edit Claim Rules in the Actions pane.
    The Edit Claims Rules window opens.
  2. If no claim rule exists for UPN, add one.
    1. Click Add Rule.
    2. In the Claim rule template drop-down list, select Pass Through or Filter an Incoming Claim, and click Next.
    3. Configure the rule and click Finish.
      • Claim rule name:
        Enter a name that helps you remember the rule.
      • Incoming claim type:
        Select UPN.
      • Pass through only claim values that match a specific email suffix value:
        Select this option, and enter an email suffix value. For example: CompanyXYZ.com.
        BEST PRACTICE: It is recommended to filter the claims coming from a third-party claims provider as a security precaution, so that the third-party claims provider cannot send unexpected values. This is done, for example, to prevent Company XYZ from pretending that its users are from your company, and get elevated privileges. Pass through all claim values should be avoided when dealing with third-party claims providers.
  3. If no claim rule exists for Group, add one.
    1. Click Add Rule.
    2. In the Claim rule template drop-down list, select Pass Through or Filter an Incoming Claim, and click Next.
    3. Configure the rule and click Finish.
      • Claim rule name:
        Enter a name that helps you remember the rule.
      • Incoming claim type:
        Select Group.
      • Pass through only claim values that start with a specific value:
        Select this option, and enter a start value. For example: CompanyXYZ\ or CompanyXYZ.com\. Ask your IT department to find out which form should be used.
  4. Click Apply.