ADFS claims rule help

Hi,

I'm working on a SSO project and although the logon to the site is working I am having some trouble with one of the attributes we are trying to send over.

We want to send the user's manager email address, and the manager is stored as a distinguished name in AD.

I am following this guide - https://technet.microsoft.com/fr-fr/library/ff678048(v=ws.10).aspx which explains how to query the manager field and return the mail of the manager in a second rule,  but I am not able to get it to work. The relaying part say that no data is being received.

Rule 1:
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
 => add(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/ManagerDistinguishedName"), query = ";manager;{0}", param = c.Value);

Rule2:
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/ManagerDistinguishedName"]
 => issue(store = "Active Directory", types = ("ManagerEmailAddress"), query = "(&(distinguishedName={0})(objectClass=user));mail;domain\user", param = c.Value);

One thing I'm really not clear on is what is the purpose of the domain\user section in the second rule and what do I replace it with to make it specific to my environment? Netbiosnameofdomain\user??

One other question is how to best troubleshoot this? Currently I'm going to the relaying partner each time I make a change to see if they can tell me the data they receive. Is there a way I can test it myself and see what is being returned? Obviously I can build a lab but I don't have the time available at the moment.

Any pointers appreciated.
EMEA iOpsAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

AmitIT ArchitectCommented:
If you are still monitoring this question let me know. Then we can start working on it.
EMEA iOpsAuthor Commented:
Yes I'm still monitoring.
AmitIT ArchitectCommented:
That's good. Let start with step one. What is step 1? You need to first add this under claim description. If you know, how to add it, just add it. If not then do this:

Goto>ADFS Snap-in>Service>Claim Description
Now right hand side, click on Add claim description
Rest check the screen shot attached.
Click Ok and now test it.
add.png

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
EMEA iOpsAuthor Commented:
Hi Amit,

You're right, I had forgotten this step. I have added this and corrected another error with the claim rules. In addition the provider corrected an error on their side.

In the end these two rules worked:

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
 => add(store = "Active Directory", types = ("http://schemas.xmlsoap.org/claims/ManagerDistinguishedName"), query = ";manager;{0}", param = c.Value);

c:[Type == "http://schemas.xmlsoap.org/claims/ManagerDistinguishedName"]
 => issue(store = "Active Directory", types = ("ManagerExternalReference", "ManagerUsername", "ManagerFirstName", "ManagerLastName", "ManagerEmailAddress"), query = "(&(distinguishedName={0}));sAMAccountName,mail,givenName,sn,mail;domain\username", param = c.Value);

The domain\user which I was confused about is explained here, essentially the username is ignored - https://technet.microsoft.com/en-us/library/adfs2-help-attribute-stores%28WS.10%29.aspx

"DOMAIN_NAME\USERNAME — This part of the query identifies and locates the domain controller to connect to for execution of the LDAP query, for example, contoso\bob. This part of the query must be specified only when you use the Active Directory attribute store. This part of the query is not used for LDAP attribute stores. Also note that USERNAME is ignored, even for Active Directory attribute stores. The attribute store executes an LDAP query using QUERY_FILTER as the query that is targeted at the LDAP server, and it requests the return attributes whose names are available in the ATTRIBUTES string. QUERY_FILTER is substituted as the value of filter in the LDAP search request message. ATTRIBUTES is substituted as the value of attributes in the LDAP search request message."
EMEA iOpsAuthor Commented:
I've requested that this question be closed as follows:

Accepted answer: 250 points for Amit's comment #a40856929
Assisted answer: 0 points for STS_EMEA's comment #a40859219

for the following reason:

I was able to correct the domain\user portion of the rule myself
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.