Use claims to send LDAP attributes from AD FS to EAA

To allow EAA to redirect users to AD FS login portal for completing authentication, you also need to configure the LDAP attributes that are sent from AD FS to EAA using claims.

Claims rules control which Active Directory (AD) attributes are returned to the relying party endpoint once a user has been authenticated. For example, it could be the application user’s email or user’s AD group membership information. The minimum requirement for EAA is the user’s email needs to be returned as a part of the Name ID attribute.

The EAA IT administrator can create a new claim rule using an existing claims rules template in AD FS, and add it to the relying party trust. This allows the application user’s email to be returned to EAA from AD FS.

How to

  1. Right-click on the relying party, for our example, EAA-RPT and select Edit Claims Issuance Policy...
  2. Click Add Rule...
  3. Select the default Send LDAP Attributes as Claims template. This template allows the IT administrator to use any of the LDAP attributes for claim rules.
    The Add Transform Claim Rule wizard appears.
  4. Complete these fields,
    1. Claim rule name. Enter a custom claim rule name.
    2. Attribute store. Select Active Directory.
    3. Map an LDAP attribute to an Outgoing Claim Type.

      In this example, the IT administrator configures a claim rule called Test Email Claim Rule that fetches the user’s email from the Active Directory and sends it out as the outgoing claim type to the relying party trust, which is EAA.

  5. Click Finish.
  6. Click OK to save in the Edit Claim Rules dialog box.