Solved

ADFS UPN to email translation

Posted on 2014-03-14
9
798 Views
Last Modified: 2014-04-20
Hello,
We are currently in the process of setting up Single Sign On with an external party that is using our email address as the sign in. I have configured a claims rule that i have attached that I believe should transform the UPN in the an email address. Is this the correct way of setting this up?
ADFS-Claims-Rule.PNG
0
Comment
Question by:Damon Rodriguez
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
9 Comments
 
LVL 37

Expert Comment

by:Mahesh
ID: 39931719
It depends upon what type of incoming claims (Attribute) your ADFS server is accepting and what type of outgoing claim type (Attribute) ADFS server needs to send which is acceptable by opposite side

Please ask relying party for exact configuration because this is totally custom configuration and they can turn it as they want

If you are looking for SharePoint SSO, then check below post
http://technet.microsoft.com/en-us/library/hh305235(v=office.15).aspx

Mahesh
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 39934094
Hello,

Why are you using a transform rule? You should be able to just setup a new Claim Rule that maps the e-mail addresses LDAP attribute to the Name ID.

Email address to NameID Claim Rule
0
 

Author Comment

by:Damon Rodriguez
ID: 39937479
The company that we are setting this up with has stated that they don't help with the actual setup of ADFS on our side. They let us know what they need from. I didn't even know that they expected our email addresses instead of our AD loginfor 2 weeks. And I found out about it because someone from the internal test group let me know...

I created a transform rule because I was going by whatever documentation the company had presented to me and I wanted to match it up as close as possible. Their documentation was screenshots created by another company. Anyway thanks for quick responses.

jjmck I will try to use this rule that you presented and let you know if it works.
0
Instantly Create Instructional Tutorials

Contextual Guidance at the moment of need helps your employees adopt to new software or processes instantly. Boost knowledge retention and employee engagement step-by-step with one easy solution.

 

Author Comment

by:Damon Rodriguez
ID: 39937946
Ok. Tried it but it didn't work.
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 39938834
The code is written in application that wants to federate with your active directory

Hence you cannot decide what attributes need to be exchanged

You need to ask relying party (to whom with you are going to build federated trust) for attributes and claims mapping

Most of the relying party have this well documented and they can provide you step by step document upon your request

Mahesh
0
 

Author Comment

by:Damon Rodriguez
ID: 39942445
You would think they do however the person I have been speaking with has been pretty...unhelpful. She basically just sent an email stating that they are setup to accept whatever we logon with and then told me that would be email. I calmly pointed out that we do not sign in with our Email addresses but use UPN. I asked if they can change their settings in the back end to further test this. I was also told to call Microsoft to see how set this up??? We are currently testing SSO with ADP and that works flawlessly. Management is not being lenient with this so I'm pretty much stuck dealing with this company.
0
 

Accepted Solution

by:
Damon Rodriguez earned 0 total points
ID: 39953932
We found the issue. We had to refresh our certificate a couple of weeks ago and it was never applied on their end. I really thought I would receive a certificate error on our end but this is what they told me.
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 40001892
This is expected because ideally you don't have much from ADFS front
0
 

Author Closing Comment

by:Damon Rodriguez
ID: 40011148
The issue was resolved by the 3rd party.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This article explains the steps required to use the default Photos screensaver to display branding/corporate images
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question