Configure the Claim Issuance Policy in ADFS

Add rules to the Claims Issuance Policy so it can send the correct LDAP attribute and user group information to PE.

In ADFS, a claim is the same thing as an assertion, and the Claims Issuance Policy defines what pieces of information about a user go where in a claim.
  1. In the ADFS Management console, click Relying Party Trusts.
  2. Select the PE trust you created and click Edit Claim Issuance Policy.
  3. Add a rule to send LDAP attributes as claims:
    • Claim rule template: Send LDAP Attributes as Claims
    • Claim rule name: LDAP Attributes
    • Attribute store: Active Directory LDAP attribute mappings

    In the LDAP attribute mapping table, select these options from the drop down:

    • SAM-Account-Name: Common Name
    • Display-Name: Name
    • E-Mail-Addresses: E-mail Address
    • SAM-Account-Name: Name ID
  4. Add a rule to send group membership as a claim:
    • Claim rule template: Send Group Membership as a Claim
    • Claim rule name: Group membership- <GROUP NAME>
    • User's group: <DOMAIN NAME>\<GROUP NAME>
    • Outgoing claim type: Group
    • Outgoing claim value: <GROUP NAME>
  5. Add additional rules for passing group membership of other ADFS user groups at your organization.