To allow EAA to redirect users to AD FS login portal for completing authentication, you also need to configure the LDAP attributes that are sent from AD FS to EAA using claims.

1. Go to Server Manager > Tools > AD FS Management.
2. Expand Service and on the right, click Add Claim Description....

   

3. Complete these fields in Add a claim Description window,
   1. Display name, for example Group (EAA)
   2. Short name, for example groupeaa.
   3. Claim identifier, must be Group.
   4. Description, optional.

      

   5. Click OK.
4. Right-click on the relying party trust, for our example, EAA-RPT and select Edit Claims Issuance Policy...
5. Click Add Rule...
6. Select the default Send LDAP Attributes as Claims template. This template allows the IT administrator to use any of the LDAP attributes for claim rules.
   The Add Transform Claim Rule wizard appears.
7. Complete these fields,
   1. Claim rule name. Enter a custom claim rule name.
   2. Attribute store. Select Active Directory.
   3. Map an LDAP attribute to an Outgoing Claim Type. Select Token-Groups for LDAP attribute and Group (EAA) from step 3.a

      

      This will associate your custom claim description to the Token-Groups LDAP attribute, to enable handling of group memberships between AD FS and EAA. In this example, the IT administrator configures a claim rule called “Group Membership Attribute” that fetches the SAML group assertion attribute from the Active Directory and sends it out to relying party trust, which is EAA.

8. Click Finish.
9. Click OK to save in the Edit Claim Rules dialog box.