Friday, February 22, 2013

ADFS : Getting the domain name as a claim

 

There are a number of ways of doing this.

You can get the domain name via ADFS : Sending groups as claims.

Also there was a thread on the forum that I contributed to viz. Custom Claim Rules - How to write domain name into outgoing claim?.

As I said, you could map msDS-PrincipalName to http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname and then use some regex to split out the domain name.

But further down:

“You don't need to use any mapping/edit LDAP rules and stuff. The windowsaccountname claim is there by default after installing adfs.

Just check it for yourself:

-Open the ADFS 2 console

-Open Trust Relationships

-Open Claims Provider Trusts

-Right mouse click on the AD trust and click "Edit claim rules"

-Note the first rule: Pass through all Windows account name claims.

You can just use the "Pass through or filter an incoming claim option" in the relying party claims configuration and select the windows account name or use a custom transform rule to transform it to the desired outgoing claim.”

Very neat!

Enjoy!

Tuesday, February 05, 2013

ADFS : New RP / SP metadata for expired certificate

 

Common pattern – you set up a link with a WS-Fed RP or a SAML SP and for whatever reason they use a certificate and it’s expired.

That site has a load of claims rules and it’s a real pain to delete the site, re-import the metadata, type in all the claims rules again etc.

But wait – help is at hand.

Instead of sending you all the metadata, just ask them to send you the certificate as a .cer text file. That’s the format that look like:

-----BEGIN CERTIFICATE-----

<snip>

-----END CERTIFICATE-----

In ADFS, double-click on the RP in the “Relying Party Trust”.

Then click on the Signature tab.

Then click on the “Add” key, browse to the .cer file, select it etc. and viola – you have updated the certificate without having to do the whole nine yards.

Enjoy!