Claims Provider Rules

Claims Mapping

Office 365 requires the objectGUID and userPrincipleName LDAP attributes. These attributes have been added to the SAML assertion in the previous steps. Now ADFS claims rules have to setup to accept the these claims / attributes. They also need to be mapped to meaning full ADFS attributes.

Accept NameID as UPN Claim

Accept NameID as UPN Claim

Your ADFS server may already have this rule created. This rule is part of the default configuration of ADFS of gridguard. If you already have this rule created skip to the next to step.

A rule is need to transform the Name ID claim to a UPN Claim on the incoming claim. The image above displays the settings needed. The code below is claims code generated.

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] == "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"]
 => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType);

Accept the objectGUID as Source user ID Claim

Accept the objectGUID as Source user ID Claim

A rule is need to transform the Name ID claim to a UPN Claim on the incoming claim. The image above displays the settings needed. The code below is claims code generated.

If you don't have a choice of the 'Source user ID' for the outgoing claim type, make sure you have the all of the software for the  ADFS and Office 365 integration installed properly.

c:[Type == "objectGUID"]
 => issue(Type = "http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType);