Configuring claim rules for a third-party claims provider - Security Center 5.10

Security Center Administrator Guide 5.10

Product
Security Center
Content type
Guides > Administrator guides
Version
5.10
Language
English
Last updated
2023-06-12

Claim rules specify which claims must be forwarded to your ADFS server for use by local applications.

Before you begin

A claims provider trust for the third-party ADFS server has been added to your ADFS server.
NOTE: Adding a claims provider trust is outside the scope of this document. For more information on working with ADFS, refer to the documentation for your version of the product software.

What you should know

This task is part of the deployment process for third-party authentication using ADFS based on a sample scenario. The instructions and screen captures are based on Windows Server 2016. If you are using a different version, your procedure might be different.
NOTE: Security Center requires specific attributes as claims: Group and UPN (User Principal Name).

Procedure

  1. In the AD FS window, click Trust Relationships > Claims Provider Trusts, select the claims provider that corresponds to the third-party ADFS, and click Edit Claim Rules in the Actions pane.
    The Edit Claims Rules window opens.
  2. If no claim rule exists for UPN, add one.
    1. Click Add Rule.
    2. In the Claim rule template drop-down list, select Pass Through or Filter an Incoming Claim, and click Next.
    3. Configure the rule and click Finish.
      Claim rule name
      Enter a name that helps you remember the rule.
      Incoming claim type
      Select UPN.
      Pass through only claim values that match a specific email suffix value
      Select this option, and enter an email suffix value. For example: CompanyXYZ.com.
      Best Practice: It is recommended to filter the claims coming from a third-party claims provider as a security precaution, so that the third-party claims provider cannot send unexpected values. This is done, for example, to prevent Company XYZ from pretending that its users are from your company, and get elevated privileges. Pass through all claim values should be avoided when dealing with third-party claims providers.
  3. If no claim rule exists for Group, add one.
    1. Click Add Rule.
    2. In the Claim rule template drop-down list, select Pass Through or Filter an Incoming Claim, and click Next.
    3. Configure the rule and click Finish.
      Claim rule name
      Enter a name that helps you remember the rule.
      Incoming claim type
      Select Group.
      Pass through only claim values that start with a specific value
      Select this option, and enter a start value. For example: CompanyXYZ\ or CompanyXYZ.com\. Ask your IT department which form should be used.
  4. Click Apply.