Link to home
Start Free TrialLog in
Avatar of compdigit44
compdigit44

asked on

ADFS 2.1 Outbound Tranformation

I am need to ADFS and have the following question.

Our application team as request that all user sign-in using the following format which is not their email address.. user@domain.com but user's in our domain have a mix of UPN's on their account some are user@domain.com and others are user@child.domain.com. Is there a way to create a outbound transformation that makes are outbound ups to a specific destination match user@domain.com. IF not I have to change the UPN for a couple hundred users
Avatar of Jeff Glover
Jeff Glover
Flag of United States of America image

Do your users use their UPN to login or do they use the NTLM style login domain\username? If they use NTLM, the easiest way to do this is to change all the UPNs to the same thing, Since it seems they want you to use the root domain UPN, then change the users in the child domain to at UPN. Also, have whoever creates new accounts choose the correct UPN suffix when making the account.
  You can change them all with a powershell command. First load the Active Directory Module (run Powershell as administrator or you will get access denied from AD when you run the cmdlet)
import-module ActiveDirectory
Then search for all users with the @child.domain.com UPN suffix and change them.

Get-ADUser -filter {UserPrincipalName -like "*@child.domain.com"} -SearchBase "DC=child,DC=domain,DC=com" | Select samaccountname |  ForEach {Set-ADUser -Identity $_.samaccountname -UserPrincipalName "$($_.samaccountname)@domain.com"}

I know its not exactly what you asked for but it is simpler than what you are thinking of doing even if it is possible. We have ADFS on multiple domains with multiple relying parties and have used this before.
Avatar of compdigit44
compdigit44

ASKER

Our user do not login using their UPN. I was hoping not to change the UPN on all user account since this is for one application for about 500 users..

So no outbound bound transformations???
ASKER CERTIFIED SOLUTION
Avatar of Jeff Glover
Jeff Glover
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thanks for the advice.. ADFS is still one of the things I do not feel I have a understanding ... can you recommend and good MS ADFS study books?
Unfortunately, ADFS is considered just another part of Active Directory and is seldom covered as a topic by itself. It is an add-on to Server 2008and 2008R2 and a feature in 2012. Most AD books will have something about it but not in-depth as you probably want. Your best bet would be TechNet for related articles but you may find this to be a poorly covered subject.
  There are some books on SAML 2.0 out there but you would need a pretty good understanding of ADFS already to be able to use the knowledge effectively.