Share-n-dipity

SharePoint serendipity is the effect by which one accidentally discovers something fortunate, especially while looking for something else entirely. In this case, it is the occassional musings, observations, and Ouija board readings about the phabulously

How To Add Additional Claims in ADFS 2.0 that can be Consumed in SharePoint 2010

How To Add Additional Claims in ADFS 2.0 that can be Consumed in SharePoint 2010

  • Comments 2
  • Likes

Just a quick tip here to save you a little time in case you decide you want to add additional claims for your users in ADFS 2.0 and have them successfully consumed in SharePoint 2010.  The key thing to remember is that SharePoint only supports SAML 1.x, so it requires that the claim type be in a very specific format.

 

In ADFS 2.0 you can add in additional claims very easily using the custom rules language it exposes.  To do that, you just click on your SharePoint Relying Party in ADFS and then click on the Edit Claim Rules… link in the right action pane.  When the rules editor comes up click on Add Rule then select Send Claims Using a Custom Rule from the drop down.  Click on the Next button to continue, and then you can enter a claim name and your custom claim rule using the ADFS rules language (http://technet.microsoft.com/en-us/library/dd807118(WS.10).aspx).  Unfortunately, the very first example rule cited on that page won’t work for SharePoint because the name isn’t in a format that WS-Federation supports. 

 

Fortunately Adam Conkle has blogged about the correct formats for WS-Fed at http://social.technet.microsoft.com/wiki/contents/articles/ad-fs-2-0-the-admin-event-log-shows-error-111-with-system-argumentexception-id4216.aspx.  The important thing for SharePoint people to understand is his description of the naming requirements for SAML 1.x:

 

(from his blog – thank you Adam)

SAML 1.1 tokens have strict URI rules which state that the format must be  'namespace'/'name'. These can be constructed many ways, and here are a few common examples:

  • myOrganization/myClaimType
  • urn:myOrganization:claims/myClaimType
  • http://myOrganization/claims/myClaimType

 

So for example, you can add a custom claim in ADFS that will go to SharePoint with a rule that looks like this:

 

=> issue(Type = "http://www.vbtoys.com/claims/demo", Value = "BlazersPlayoffs2010");

 

The rules language in ADFS is actually pretty interesting, there’s a lot of functionality in there.  And now you know what format you need to make your claim types when you send them onto SharePoint.

Attachment: How To Add Additional Claims in ADFS 2.docx
Comments
  • <p>@Steve</p> <p>Does this mean that when you create a new Claims Rule using the Active Directory store and you select multiple LDAP attributes they won&#39;t be passed into SharePoint?</p> <p>I am trying to pass title, phone, company, dept. from Active Directory to SharePoint.</p>

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment