Use custom claim description to send group membership from AD FS to ETP

Before you begin

Set up relying party trust in AD FS

To redirect users to AD FS login portal for completing authentication, you also need to configure the LDAP attributes that are sent from AD FS to ETP using claims.

Claims rules control which Active Directory (AD) attributes are returned to the relying party endpoint once a user has been authenticated. For example, it could be the application user’s email address or user’s AD group membership information. The minimum requirement for ETP is the user’s email address. It needs to be returned as a part of the Name ID attribute.

The IT administrator can create a custom claims description in AD FS, associate it with the correct LDAP attribute, and add it to the relying party trust. This allows AD FS to send the user’s group membership to ETP.

How to

  1. Go to Server Manager > Tools > AD FS Management.
  2. Expand Service and select Claim Descriptions.
  3. On the right, click Add Claim Description....
  4. Complete these fields in the Add a Claim Description window:
    1. Display name. Enter a display name. For example, Group (ETP)
    2. Short name. Enter a short name. For example, groupetp.
    3. Claim identifier. Enter Group.
    4. Description. Enter a description. This is optional.
    5. Click OK.
  5. Right-click on the relying party trust (for example, IDP-RPT) and select Edit Claims Issuance Policy...
  6. Click Add Rule...
  7. Select the default Send LDAP Attributes as Claims template. This template allows the IT administrator to use any of the LDAP attributes for claim rules.
    The Add Transform Claim Rule wizard appears.
  8. Complete these fields:
    1. Claim rule name. Enter a custom claim rule name.
    2. Attribute store. Select Active Directory.
    3. Map an LDAP attribute to an Outgoing Claim Type. Select Token-Groups for LDAP attribute and Group (ETP) from step 4a.

      This associates your custom claim description to the Token-Groups LDAP attribute, enabling the handling of group memberships between AD FS and Akamai Enterprise IdP. In this example, the IT administrator configures a claim rule called “Group Membership Attribute” that fetches the SAML group assertion attribute from the Active Directory and sends it out to relying party trust, which is Akamai Enterprise IdP.

  9. Click Finish.
  10. Click OK to save in the Edit Claim Rules dialog box.

Next steps

Upload AD FS metadata to ETP IdP