I have configured Claims Provider Trust in ADFS and I am getting only Email
in NameID
. I can not make changes to Third party Claims Provider Trust, so I have to get WindowsAccountName
using the Email Address, which I received in NameID from Third Party IDP and forward it to Outlook Web Access (on-premise).
I've found that when I use the following Claim Rule, sign-in works, but only if the user's UPN and email address match. If there are differences between them (e.g. sAMAccountName=jdoe; [email protected]; Email=Jonathan.Doe@contoso.com), the value forwarded to Exchange causes an error to be thrown.
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] == "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"]
=> issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer = "AD AUTHORITY", OriginalIssuer = c.OriginalIssuer, Value = regexreplace(c.Value, "(?<user>[^\@]+)\@(.+)", "contoso\${user}"), ValueType = c.ValueType);
How can I look up a user via their email address, and return theirWindowsAccountName
in domain\username
format?
If anyone runs into this issue. You need two rules.
Rule #1: sAMAccountName to temp This tells ADFS to look in ActiveDirectory and return any accounts where the UPN or Email address matches. Then the rule stores the value into a temporary variable which we'll use in the next rule.
NB. The
contoso\adfs_service_account
is important. ADFS needs this to auto-discover a Domain Controller. Use ANY AD account, just so long as it is a real account.Rule #2: temp to WindowsAccountName The above rule only returns the sAMAccountName, not the domain. In my case I only had one domain. As such, I hardcoded it below.