Home / server / Questions / 768485
In Process
Amethi
Asked: 2016-04-07 01:17:33 +0800 CST

How to get Subject from client certificate issued as a claim in ADFS?

  • 772

I'm using Certificate Based Authentication in ADFS 3.0 and need to get the Subject field from the client certificate issued as a claim, but it's not available as an incoming claim to ADFS.

When I enable auditing I can see that it's present in the caller identity as the following claim type: http://schemas.microsoft.com/2012/12/certificatecontext/field/subject

But it doesn't get issued in the Issued identity, and thus is not available as an incoming claim to use in the Claims Rules.

Has anyone done this before? Can you tweak the incoming claims from client certificates?

adfs

1 Answers

  1. I solved this by tweaking the [AdfsConfiguration].[IdentityServerPolicy].[Policies] table in the ADFS configuration database. There's a record that covers the inbound claims. On my database it's ID '88EDF726-83FA-E511-80C5-000D3AB14473' though I don't know if they're constant values or vary by deployment. You can tell which one it is as it's quite long and has the cert eku claim in.

    I modified it to include the following rule:

    @RuleTemplate = "PassThroughClaims"
@RuleName = "Pass through certificate Subject claim"
c:[Type == "http://schemas.microsoft.com/2012/12/certificatecontext/field/subject", Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"]
 => issue(claim = c);
    • 1