Solved

ADFS UPN to email translation

Posted on 2014-03-14
9
831 Views
Last Modified: 2014-04-20
Hello,
We are currently in the process of setting up Single Sign On with an external party that is using our email address as the sign in. I have configured a claims rule that i have attached that I believe should transform the UPN in the an email address. Is this the correct way of setting this up?
ADFS-Claims-Rule.PNG
0
Comment
Question by:Damon Rodriguez
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
9 Comments
 
LVL 37

Expert Comment

by:Mahesh
ID: 39931719
It depends upon what type of incoming claims (Attribute) your ADFS server is accepting and what type of outgoing claim type (Attribute) ADFS server needs to send which is acceptable by opposite side

Please ask relying party for exact configuration because this is totally custom configuration and they can turn it as they want

If you are looking for SharePoint SSO, then check below post
http://technet.microsoft.com/en-us/library/hh305235(v=office.15).aspx

Mahesh
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 39934094
Hello,

Why are you using a transform rule? You should be able to just setup a new Claim Rule that maps the e-mail addresses LDAP attribute to the Name ID.

Email address to NameID Claim Rule
0
 

Author Comment

by:Damon Rodriguez
ID: 39937479
The company that we are setting this up with has stated that they don't help with the actual setup of ADFS on our side. They let us know what they need from. I didn't even know that they expected our email addresses instead of our AD loginfor 2 weeks. And I found out about it because someone from the internal test group let me know...

I created a transform rule because I was going by whatever documentation the company had presented to me and I wanted to match it up as close as possible. Their documentation was screenshots created by another company. Anyway thanks for quick responses.

jjmck I will try to use this rule that you presented and let you know if it works.
0
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

 

Author Comment

by:Damon Rodriguez
ID: 39937946
Ok. Tried it but it didn't work.
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 39938834
The code is written in application that wants to federate with your active directory

Hence you cannot decide what attributes need to be exchanged

You need to ask relying party (to whom with you are going to build federated trust) for attributes and claims mapping

Most of the relying party have this well documented and they can provide you step by step document upon your request

Mahesh
0
 

Author Comment

by:Damon Rodriguez
ID: 39942445
You would think they do however the person I have been speaking with has been pretty...unhelpful. She basically just sent an email stating that they are setup to accept whatever we logon with and then told me that would be email. I calmly pointed out that we do not sign in with our Email addresses but use UPN. I asked if they can change their settings in the back end to further test this. I was also told to call Microsoft to see how set this up??? We are currently testing SSO with ADP and that works flawlessly. Management is not being lenient with this so I'm pretty much stuck dealing with this company.
0
 

Accepted Solution

by:
Damon Rodriguez earned 0 total points
ID: 39953932
We found the issue. We had to refresh our certificate a couple of weeks ago and it was never applied on their end. I really thought I would receive a certificate error on our end but this is what they told me.
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 40001892
This is expected because ideally you don't have much from ADFS front
0
 

Author Closing Comment

by:Damon Rodriguez
ID: 40011148
The issue was resolved by the 3rd party.
0

Featured Post

Revamp Your Training Process

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
Here's a look at newsworthy articles and community happenings during the last month.
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question