Use custom claim description for sending group membership from AD FS to EAA
To allow EAA to redirect users to AD FS login portal for completing authentication, you also need to configure the LDAP attributes that are sent from AD FS to EAA using claims.
Claims rules control which Active Directory (AD) attributes are returned to the relying party endpoint once a user has been authenticated. For example, it could be the application user’s email or user’s AD group membership information. The minimum requirement for EAA is the user’s email needs to be returned as a part of the Name ID attribute.
The EAA IT administrator can create a custom claims description in AD FS, associate it with the correct LDAP attribute, and add it to the relying party trust. This allows the user’s group membership to be sent from AD FS to EAA.
How to
-
Expand Service and on the right, click Add
Claim Description....
-
Complete these fields in
Add a claim Description window,
-
Description, optional.
-
Description, optional.
-
Complete these fields,
-
Map an LDAP attribute to an Outgoing
Claim Type. Select Token-Groups
for LDAP attribute and Group
(EAA) from step 3.a
This will associate your custom claim description to the Token-Groups LDAP attribute, to enable handling of group memberships between AD FS and EAA. In this example, the IT administrator configures a claim rule called “Group Membership Attribute” that fetches the SAML group assertion attribute from the Active Directory and sends it out to relying party trust, which is EAA.
-
Map an LDAP attribute to an Outgoing
Claim Type. Select Token-Groups
for LDAP attribute and Group
(EAA) from step 3.a