Send simple LDAP attributes from AD FS to EAA

These steps describe how to send user's email from AD FS to EAA.

Follow these steps to integrate AD FS with EAA to send simple LDAP attributes like user's email from AD FS to EAA.

  1. Add AD FS as an identity provider in EAA.
  2. Authenticate EAA with AD FS. This involves the following steps:
    1. Configuring EAA as an AD FS endpoint. See Setup relying party trust in AD FS.
    2. Configuring which Active Directory (AD) attributes are sent from AD FS to EAA. The EAA administrator creates claim rules and adds them to relying party trust. In AD FS you can create claim rules that use the default claims template to send simple attributes like user's email. See Use claims to send LDAP attributes from AD FS to EAA.
  3. Upload AD FS metadata to EAA IdP.
  4. To verify simple LDAP attribute like user's email see Verify application user's email is sent from AD FS to EAA.
  5. Enable signed SAML requests between EAA and AD FS. This is an optional step. It is required only if you want to use signed SAML requests.
  6. Enable encrypted SAML responses between EAA and AD FS. This is an optional step. It is required only if you want to have the SAML responses to be encrypted for additional security.