ADFS 2.1 Outbound Tranformation

I am need to ADFS and have the following question.

Our application team as request that all user sign-in using the following format which is not their email address.. user@domain.com but user's in our domain have a mix of UPN's on their account some are user@domain.com and others are user@child.domain.com. Is there a way to create a outbound transformation that makes are outbound ups to a specific destination match user@domain.com. IF not I have to change the UPN for a couple hundred users
LVL 21
compdigit44Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jeff GloverSr. Systems AdministratorCommented:
Do your users use their UPN to login or do they use the NTLM style login domain\username? If they use NTLM, the easiest way to do this is to change all the UPNs to the same thing, Since it seems they want you to use the root domain UPN, then change the users in the child domain to at UPN. Also, have whoever creates new accounts choose the correct UPN suffix when making the account.
  You can change them all with a powershell command. First load the Active Directory Module (run Powershell as administrator or you will get access denied from AD when you run the cmdlet)
import-module ActiveDirectory
Then search for all users with the @child.domain.com UPN suffix and change them.

Get-ADUser -filter {UserPrincipalName -like "*@child.domain.com"} -SearchBase "DC=child,DC=domain,DC=com" | Select samaccountname |  ForEach {Set-ADUser -Identity $_.samaccountname -UserPrincipalName "$($_.samaccountname)@domain.com"}

I know its not exactly what you asked for but it is simpler than what you are thinking of doing even if it is possible. We have ADFS on multiple domains with multiple relying parties and have used this before.
compdigit44Author Commented:
Our user do not login using their UPN. I was hoping not to change the UPN on all user account since this is for one application for about 500 users..

So no outbound bound transformations???
Jeff GloverSr. Systems AdministratorCommented:
Not that I have seen. You can choose to transform the incoming claim such ad changing the role requested from Manager to Supervisor or something similar  but transforming an outgoing claim by replacing the domain in the UPN is well above me. You might be able to construct one using Custom Claims language. TechNet has an article on doing something similar but I would do a lot of testing before trying it.

https://technet.microsoft.com/en-us/library/ee913558.aspx

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
compdigit44Author Commented:
Thanks for the advice.. ADFS is still one of the things I do not feel I have a understanding ... can you recommend and good MS ADFS study books?
Jeff GloverSr. Systems AdministratorCommented:
Unfortunately, ADFS is considered just another part of Active Directory and is seldom covered as a topic by itself. It is an add-on to Server 2008and 2008R2 and a feature in 2012. Most AD books will have something about it but not in-depth as you probably want. Your best bet would be TechNet for related articles but you may find this to be a poorly covered subject.
  There are some books on SAML 2.0 out there but you would need a pretty good understanding of ADFS already to be able to use the knowledge effectively.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.