Send complex attributes like group membership from AD FS to EAA

These steps describe how to send user's group membership attribute from AD FS to EAA.

Follow these steps to integrate AD FS with EAA to send complex LDAP attributes like user's group membership from AD FS to EAA.

  1. Add AD FS as an identity provider in EAA.
  2. Authenticate EAA with AD FS. This involves the following steps:
    1. Configuring EAA as an AD FS endpoint. See Setup relying party trust in AD FS.
    2. Configuring which Active Directory (AD) attributes are sent from AD FS to EAA. The EAA administrator creates claim rules and adds them to relying party trust. In AD FS you use custom claim description for sending group membership from AD FS to EAA. See Use custom claim description for sending group membership from AD FS to EAA.
  3. Upload AD FS metadata to EAA IdP.
  4. To verify complex attribute like group membership see Verify AD FS group membership is sent from AD FS to EAA.
  5. Enable signed SAML requests between EAA and AD FS. This is an optional step. It is required only if you want to use signed SAML requests.
  6. Enable encrypted SAML responses between EAA and AD FS. This is an optional step. It is required only if you want to have the SAML responses to be encrypted for additional security.