1

I'm using ADFS and I need to send the sAMAccountName.

Currently using a "Transform an incoming claim" rule: Incoming claim type: Windows account name Outgoing claim type: Name ID Outgoing name ID format: Email (I know the format is actually wrong but thats the format the provider wants and it works)

Unfortunately the username is sent including the domain prefix, so e.g. "domain\username". How can I get rid of "domain"?

I tried with transforming it via

    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
    => issue(Type = "sswindowsaccountname", Value = RegexReplace(c.Value, "^Domain\\", ""));

Unfortunately it doesn't work.

Does anybody know how I can resolve that? Thanks!

Daniel
  • 6,940
  • 6
  • 33
  • 64
error401
  • 23
  • 1
  • 4

1 Answers1

1

You can achieve this without a custom rule by creating a rule from the template Send LDAP Attributes as Claims and then transforming that claim as you already did.

Rule 1: Send LDAP Attributes as Claims
Attribute Store: Active Directory
Mapping 1 LDAP Attribute: SAM-Account-Name
Mapping 1 Outgoing Claim Type: samaccountname (Choose a name of your liking)

Rule 2: Transform an Incoming Claim
Incoming claim type: samaccountname (Use the name you chose in rule 1)
Outgoing claim type: Email Address (Don't know the exact english wording)
Option: Pass through all claim values

Due to the nature of how the wizard is built, ADFS will also send the intermediary claim from rule 1, but that shouldn't be a concern. If you create a custom rule, you can omit adding that claim, but that requires deeper knowledge of the syntax and raises complexity. Would not recommend unless you deal with SAML on a weekly basis.

Daniel
  • 6,940
  • 6
  • 33
  • 64