1

I have a Windows Server 2016 on which I am using ADFS. I followed the link at https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-to-authenticate-users-stored-in-ldap-directories to configure LDAP (AD LDS) as claims provider trust. Next thing I wanted to configure the application groups or relying parties to use a specific claims provider. For example, I want to use AD for a application, LDS for another and both for third. Currently I get both the options for all the applications. Can anyone help managing this part?

My best guess is adding Issuance tranform rule --> Transform incoming claim because I have already checked access control policies and Properties for the relying party and application groups, and I did not find anything where I can mention the used claims provider trust or authentication method.

Chaitanya Gadkari
  • 123
  • 1
  • 6

2 Answers2

1

From this:

Configure via Relying Party (RP)

A RP is an application e.g. Salesforce.

You can map a RP to an IDP.

e.g. all users of RP A will use the Fabrikam IDP to authenticate.

The command is:

Set-AdfsRelyingPartyTrust -TargetName "RP A" -ClaimsProviderName @("Fabrikam","Active Directory")

rbrayb
  • 1,108
  • 1
  • 12
  • 20
  • I found the same on https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/home-realm-discovery-customization and was able to set as described. – Chaitanya Gadkari Dec 10 '18 at 18:14
1

On top nzpcmad's answer which explains how to set it up for relying party, same can be done for application group application using command below

Set-AdfsWebApiApplication -TargetName "Web SPA" -ClaimsProviderName @("Fabrikam","Active Directory")

Where "Web SPA" is an application from application group and Fabrikam and Active Directory are claim providers.

I could not set it up for all application group but for single application, if anyone could do it for application group, please do add the answer.

Chaitanya Gadkari
  • 123
  • 1
  • 6