Claim rules specify which claims must be forwarded to your ADFS server for use by local
applications.
Before you begin
A claims provider trust for the third-party ADFS server has been added to your ADFS
server.
NOTE: Adding a claims provider trust is outside the scope of this document. For more
information on working with ADFS, refer to the documentation for your version of the product
software.
What you should know
This task is part of the deployment process for third-party
authentication using ADFS based on a sample scenario.
The instructions and screen captures are based on
Windows Server 2016. If you are using a different version, your procedure might be
different.NOTE: Security Center requires specific attributes as
claims:
Group and
UPN (User Principal
Name).
Procedure
-
In the AD FS window, click , select the claims provider that corresponds to the third-party ADFS, and
click Edit Claim Rules in the Actions
pane.
The Edit Claims Rules window opens.
-
If no claim rule exists for UPN, add one.
-
Click Add Rule.
-
In the Claim rule template drop-down list, select
Pass Through or Filter an Incoming Claim, and click
Next.
-
Configure the rule and click Finish.
- Claim rule name
- Enter a name that helps you remember the rule.
- Incoming claim type
- Select UPN.
- Pass through only claim values that match a specific email suffix value
- Select this option, and enter an email suffix value. For example:
CompanyXYZ.com.
Best Practice: It is recommended
to filter the claims coming from a third-party claims provider as a security
precaution, so that the third-party claims provider cannot send unexpected
values. This is done, for example, to prevent Company XYZ from pretending that
its users are from your company, and get elevated privileges. Pass
through all claim values should be avoided when dealing with
third-party claims providers.
-
If no claim rule exists for Group, add one.
-
Click Add Rule.
-
In the Claim rule template drop-down list, select
Pass Through or Filter an Incoming Claim, and click
Next.
-
Configure the rule and click Finish.
- Claim rule name
- Enter a name that helps you remember the rule.
- Incoming claim type
- Select Group.
- Pass through only claim values that start with a specific value
- Select this option, and enter a start value. For example:
CompanyXYZ\ or CompanyXYZ.com\.
Ask your IT department which form should be used.
-
Click Apply.