다음을 통해 공유


How To Add Additional Claims in ADFS 2.0 that can be Consumed in SharePoint 2010

Just a quick tip here to save you a little time in case you decide you want to add additional claims for your users in ADFS 2.0 and have them successfully consumed in SharePoint 2010. The key thing to remember is that SharePoint only supports SAML 1.x, so it requires that the claim type be in a very specific format.

 

In ADFS 2.0 you can add in additional claims very easily using the custom rules language it exposes. To do that, you just click on your SharePoint Relying Party in ADFS and then click on the Edit Claim Rules… link in the right action pane. When the rules editor comes up click on Add Rule then select Send Claims Using a Custom Rule from the drop down. Click on the Next button to continue, and then you can enter a claim name and your custom claim rule using the ADFS rules language (https://technet.microsoft.com/en-us/library/dd807118(WS.10).aspx). Unfortunately, the very first example rule cited on that page won’t work for SharePoint because the name isn’t in a format that WS-Federation supports.

 

Fortunately Adam Conkle has blogged about the correct formats for WS-Fed at https://social.technet.microsoft.com/wiki/contents/articles/ad-fs-2-0-the-admin-event-log-shows-error-111-with-system-argumentexception-id4216.aspx. The important thing for SharePoint people to understand is his description of the naming requirements for SAML 1.x:

 

(from his blog – thank you Adam)

SAML 1.1 tokens have strict URI rules which state that the format must be 'namespace'/'name'. These can be constructed many ways, and here are a few common examples:

  • myOrganization/myClaimType
  • urn:myOrganization:claims/myClaimType
  • https://myOrganization/claims/myClaimType

 

So for example, you can add a custom claim in ADFS that will go to SharePoint with a rule that looks like this:

 

=> issue(Type = "https://www.vbtoys.com/claims/demo", Value = "BlazersPlayoffs2010");

 

The rules language in ADFS is actually pretty interesting, there’s a lot of functionality in there. And now you know what format you need to make your claim types when you send them onto SharePoint.

How To Add Additional Claims in ADFS 2.docx

Comments

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    November 30, 2011
    @Steve Does this mean that when you create a new Claims Rule using the Active Directory store and you select multiple LDAP attributes they won't be passed into SharePoint? I am trying to pass title, phone, company, dept. from Active Directory to SharePoint.

  • Anonymous
    April 16, 2014
    This issue applies to SharePoint 2010 as well but...suppose you have created a custom claims provider

  • Anonymous
    September 18, 2014
    The comment has been removed

  • Anonymous
    September 18, 2014
    The comment has been removed