Export (0) Print
Expand All
This topic has not yet been rated - Rate this topic

Sending LDAP Attributes as Claims

Updated: May 5, 2010

Applies To: Active Directory Federation Services (AD FS) 2.0

Using the Send LDAP Attribute as Claims rule template, you can select attributes from a Lightweight Directory Attribute Protocol (LDAP) attribute store, such as Active Directory Domain Services (AD DS), to send as claims to the relying party. Multiple attributes can be sent as multiple claims with a single rule.

For example, you can use this rule template to create a rule that will extract attribute values for authenticated users from the Active Directory attributes displayName and telephoneNumber and then send those values as two different outgoing claims. You can also use this rule to send all of the user's group memberships. If you want to send only individual group memberships, use the Sending Group Membership as a Claim rule template.

You can use this rule template for creating acceptance transform rules on a claims provider trust to look up account attributes in AD DS or Active Directory Lightweight Directory Services (AD LDS) for incoming users from the claims provider. In the issuance transform rules of a relying party trust, you can use this rule template to send only those claims to a relying party that are in an AD DS or AD LDS attribute store.

This rule template takes an incoming Windows Account Name claim and looks up the corresponding user account in AD DS or AD LDS by comparing it against the LDAP attribute samAccountname. Therefore, this rule requires a Windows Account Name claim to be present in the input claim set of the rules. For more information about the input claim set of rules, see Using Claim Rules for Issuing Claims.

See Also

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft. All rights reserved.