Solved

ADFS UPN to email translation

Posted on 2014-03-14
9
694 Views
Last Modified: 2014-04-20
Hello,
We are currently in the process of setting up Single Sign On with an external party that is using our email address as the sign in. I have configured a claims rule that i have attached that I believe should transform the UPN in the an email address. Is this the correct way of setting this up?
ADFS-Claims-Rule.PNG
0
Comment
Question by:Damon Rodriguez
  • 5
  • 3
9 Comments
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
It depends upon what type of incoming claims (Attribute) your ADFS server is accepting and what type of outgoing claim type (Attribute) ADFS server needs to send which is acceptable by opposite side

Please ask relying party for exact configuration because this is totally custom configuration and they can turn it as they want

If you are looking for SharePoint SSO, then check below post
http://technet.microsoft.com/en-us/library/hh305235(v=office.15).aspx

Mahesh
0
 
LVL 37

Expert Comment

by:Jamie McKillop
Comment Utility
Hello,

Why are you using a transform rule? You should be able to just setup a new Claim Rule that maps the e-mail addresses LDAP attribute to the Name ID.

Email address to NameID Claim Rule
0
 

Author Comment

by:Damon Rodriguez
Comment Utility
The company that we are setting this up with has stated that they don't help with the actual setup of ADFS on our side. They let us know what they need from. I didn't even know that they expected our email addresses instead of our AD loginfor 2 weeks. And I found out about it because someone from the internal test group let me know...

I created a transform rule because I was going by whatever documentation the company had presented to me and I wanted to match it up as close as possible. Their documentation was screenshots created by another company. Anyway thanks for quick responses.

jjmck I will try to use this rule that you presented and let you know if it works.
0
 

Author Comment

by:Damon Rodriguez
Comment Utility
Ok. Tried it but it didn't work.
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
The code is written in application that wants to federate with your active directory

Hence you cannot decide what attributes need to be exchanged

You need to ask relying party (to whom with you are going to build federated trust) for attributes and claims mapping

Most of the relying party have this well documented and they can provide you step by step document upon your request

Mahesh
0
 

Author Comment

by:Damon Rodriguez
Comment Utility
You would think they do however the person I have been speaking with has been pretty...unhelpful. She basically just sent an email stating that they are setup to accept whatever we logon with and then told me that would be email. I calmly pointed out that we do not sign in with our Email addresses but use UPN. I asked if they can change their settings in the back end to further test this. I was also told to call Microsoft to see how set this up??? We are currently testing SSO with ADP and that works flawlessly. Management is not being lenient with this so I'm pretty much stuck dealing with this company.
0
 

Accepted Solution

by:
Damon Rodriguez earned 0 total points
Comment Utility
We found the issue. We had to refresh our certificate a couple of weeks ago and it was never applied on their end. I really thought I would receive a certificate error on our end but this is what they told me.
0
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
This is expected because ideally you don't have much from ADFS front
0
 

Author Closing Comment

by:Damon Rodriguez
Comment Utility
The issue was resolved by the 3rd party.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

I'm sure that every Windows systems administrator has written, or at least used, a batch or VBS login script at some point in their career, whether it is to map network drives, install printers, or set some user preferences.  No more! With Window…
Companies that have implemented Microsoft’s Active Directory need to ensure that the Active Directory is configured and operating properly. If there are issues found and not resolved, it eventually leads the components to fail or stop working and fi…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now