Add issuance transform rules that create the SAML assertion that ADFS sends to Verify.
About this task
You must create a rule that is called Send LDAP attributes by using the
template Send LDAP Attributes as Claims. This rule maps the E-Mail-Addresses
attribute to E-Mail-Address. Add other attributes from Active Directory that
your organization needs for connecting to SaaS providers. Map them to standard or custom SAML
attribute names as needed by your organization.
Procedure
-
Select your relying party and click Edit Claim Rules.
-
Click Add Rule on the Edit Claim Rules
window.
-
Create the Send LDAP Attributes rule.
-
Click Add Rule on the Issuance Transform Rules
tab.
-
Select Send LDAP Attributes as Claims from the template menu and click
Next.
-
Type or select the following settings.
Note: Add any other LDAP attributes that you want to be sent over as claims.
-
Click Finish.
-
Create the Email to NameID rule.
-
Click Add Rule on the Issuance Transform Rules
tab.
-
Select Transform an Incoming Claim from the template menu and click
Next.
-
Type or select the following settings.
-
Click Finish.
-
Add application roles.
If you want to add application roles for a group to represent admin and standard Verify user, use the following
values. For admin users, use the admin value for the Outgoing
claim value and for standard user, use the user value for the
Outgoing claim value.
For example: Admin group.
-
Select Send Group Membership as a Claim from the template menu and click
Next.
-
Specify the unique name for your rule in Claim rule name field.
For example: Send admin group.
-
Click Browse to select your user group that represents the admin users
on Verify from
User’s group.
-
Select Group from the Outgoing claim type
menu.
-
Provide a name for the Outgoing claim value.
For example: admin.
-
Click Finish.
Note: Add any other LDAP attributes that you want to be sent over as claims.