Editing Claims Rule

Pre-requisites:Add a Relying Party Trust.

  1. Select Open the Edit Claim Rules dialog for this relying party trust when the wizard closes. Close the wizard. The Edit Claim Rules dialog appears.
  2. In the Issuance Transform Rules tab, click Add Rule. The Select Rule Template screen appears displaying Choose Rule Type information.
  3. Select Send LDAP Attributes as Claims as the Claim rule template. Click Next. The Configure Rule screen appears.
  4. Type the Claim rule name, select Active Directory as the Attribute store. In the Mapping of the LDAP attributes to outgoing claim types field, select the following:

    LDAP Attribute (Select or type to add more) Outgoing Claim Type (Select or type to add more)
    User-Principal-Name UPN
    Surname Surname

  5. Click Finish. The Edit Claims screen appears, click Ok.
  6. Open the Relying Party Trusts directory. Right click the newly added relying trust party and select Properties. The ADFS configuration dialog appears.
  7. In the Signature tab, click Add.
  8. Add the certificate generated from the Keystore file which is configured in Platform server for authentication.
  9. Click the Advanced tab and change the Secure hash algorithm to SHA-1 and click OK.
    Platform is configured on AD FS for SAML/AD FS authentication. Here's how the AD FS configuration in Platform looks like:
Name <Any name>
Issuer (IDP/AD FS Entitiy ID) <Entity ID> found in metadata.xml.
Identity Provider/AD FS Metadata Typically, the metadata is found in the following URL:

https://<Domain Name of the AD FS Server>/ FedetationMetadata/2007-06/FederationMedata.xml
Service Provider/Relying Party Entity ID https://<Domain Name of Platform>
Attribute Map The loginName must be mapped to any AD server attribute like - loginName=http://schemas.xmlsoap.org/ws/2005/05/identify/claims/upn

In addition, to the loginName, at least one other attribute must be mapped to the AD server attribute like - lastName=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
Identity Provider Logout URL This can by <any URL> where you have the logout logic flush out the user session.