2

I'm sorry if this is an uneducated question, but I'm growing a bit desperate here.

At work, we have a few customers that are still using ADFS versions prior to 2.0 which went the SAML2 route, and I'm trying to create support for WebSSO using those versions as the identity provider. I already have support for ADFS 2.0+, Shibboleth, and Okta.

I'm testing against the "adatum" account server as I've been following Microsoft's step-by-step guide to get a working setup that I can test against.

I've gotten so far that I've managed to request and receive the RequestSecurityTokenResponse payloads that ADFS delivers at my login endpoint when a user is authenticated, but I'm at a loss as of how to get basic information such as e-mail and first and last names included with it.

The only time I've managed to get anything sent in an attributeStatement at all is when I map one of the two "Trey*AppUsers" groups created in the guide.

Enabling the identity claims E-mail or Common Name doesn't add anything, either.

I've tried to

  • Create a new custom Organization Claim
  • Create a Custom Claim Extraction from the AD Account Store for it
  • Set it to use an LDAP attribute that ought to be there (I've tried sAMAccountName, givenName, and displayName)
  • Create a new Outgoing Custom Claim Mapping for it on the Resource Partner I've created for my SP, but I still don't get anything out...

I don't know why, and Googling for help for these versions of ADFS is extremely difficult, made worse by the fact that I'm not used to Windows, and I most definitely am not a sysadmin :D

Assuming this is a question worthy of being answered, could someone give me a few pointers bearing in mind that I'm (obviously) fairly retarded in this area?

Thanks :)

Daniel

DanielSmedegaardBuus
  • 132
  • 4
  • Just an fyi, but AD FS 2.0 and later fixes some important issues in SAML support. Just about everyone should upgrade to 2.0 or even 3.0. Yes, that means updating to a newer version of Windows Server, but if you're using AD FS it's kind of important. – Joel Coel Oct 27 '15 at 13:42
  • Hi @JoelCoel :) I totally agree, but as I wrote, these are customer servers, and the customer is always right ;) – DanielSmedegaardBuus Oct 27 '15 at 13:46

1 Answers1

0

Okay, this is ridiculous. Seeing guides like this one made me even more baffled as it's basically telling me to do exactly what I'm already doing. So I tried to create a new Resource Partner with exactly the same configuration as the one before, and lo and behold, I can now map AD claims and they make it all the way through!

I can't see that there's any difference at all between the two RPs, except that one of them can send AD-sourced claims, the other cannot. Perhaps my messing around fiddling with all sorts of settings has somehow broken it.

I'm not gonna remove my question, though, as I guess someone else might experience the same, and if so, I can just say: Try to create an exact duplicate of the Resource Partner configuration that is failing, it just might work!

DanielSmedegaardBuus
  • 132
  • 4