Imagine the following:
CP A --> federated with CP B --> RP
So a user goes to the RP and via HRD on CP B selects CP A and authenticates against AD.
The claims derived from CP A need to be passed across.
On CP A we have the standard LDAP rules since the user authenticated against that AD.
One of the claims we want to pass across is NameID.
You have to configure pass-through rules on CP B and the RP.
So the claims are configured in three places.
The problem is that NameID never makes it across.
There are a number of posts from people reporting the same thing but no solution.
The way I got around it was:
Assume that we want sAMAccountName to be NameID.
On CP A, have a LDAP rule:
sAMAccountName --> http://company/claims/sAMAccountName
Plus pass-through all the other claims.
On CP B, have a Transform rule:
http://company/claims/sAMAccountName --> NameID
Plus pass-through all the other claims.
In the RP, pass-through all the claims including NameID.
Now imagine you have two RP, RP A and RP B.
RP A wants sAMAccountName to be NameID.
RP B wants UPN to be NameID.
Now we have a problem because they both share the same pipeline CP A and CP B. You can't have two different rules both passing NameID.
What you have to do on CP A is:
UPN --> http://company/claims/UPN
Here you pass both http://company/claims/sAMAccountName and http://company/claims/UPN through on CP B and then transform them at the RP level to the NameID; one for each.
Enjoy!
No comments:
Post a Comment