Create a Rule to Send LDAP Attributes as Claims

Using the Send LDAP Attributes as Claims rule template in Active Directory Federation Services (AD FS), you can create a rule that will select attributes from a Lightweight Directory Access Protocol (LDAP) attribute store, such as Active Directory, to send as claims to the relying party. For example, you can use this rule template to create a Send LDAP Attributes as Claims rule that will extract attribute values for authenticated users from the displayName and telephoneNumber Active Directory attributes and then send those values as two different outgoing claims.

You can also use this rule to send all the user's group memberships. If you want to send only individual group memberships, use the Send Group Membership as a Claim rule template. You can use the following procedure to create a claim rule with the AD FS Management snap-in.

Membership in Administrators, or equivalent, on the local computer is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups.

To create a rule to send LDAP attributes as claims for a Relying Party Trust in Windows Server 2016

  1. In Server Manager, click Tools, and then select AD FS Management.

  2. In the console tree, under AD FS, click Relying Party Trusts. Screenshot that shows where to select Relying Party Trusts when you create a rule to send LDAP attributes as claims for a Relying Party Trust in Windows Server 2016.

  3. Right-click the selected trust, and then click Edit Claim Issuance Policy. Screenshot that shows where to select Edit Claim Issuance Policy when you create a rule to send LDAP attributes as claims for a Relying Party Trust in Windows Server 2016.

  4. In the Edit Claim Issuance Policy dialog box, under Issuance Transform Rules click Add Rule to start the rule wizard. Screenshot that shows where to select Add Rule when you create a rule to send LDAP attributes as claims for a Relying Party Trust in Windows Server 2016.

  5. On the Select Rule Template page, under Claim rule template, select Send LDAP Attributes as Claims from the list, and then click Next. Screenshot that shows where to select the Send LDAP Attributes as Claims template when you create a rule to send LDAP attributes as claims for a Relying Party Trust in Windows Server 2016.

  6. On the Configure Rule page under Claim rule name type the display name for this rule, select the Attribute Store, and then select the LDAP attribute and map it to the outgoing claim type. Screenshot that shows where to type the claim rule name when you create a rule to send LDAP attributes as claims for a Relying Party Trust in Windows Server 2016.

  7. Click the Finish button.

  8. In the Edit Claim Rules dialog box, click OK to save the rule.

To create a rule to send LDAP attributes as claims for a Claims Provider Trust in Windows Server 2016

  1. In Server Manager, click Tools, and then select AD FS Management.

  2. In the console tree, under AD FS, click Claims Provider Trusts. Screenshot that shows where to select Claims Provider Trusts when you create a rule to send LDAP attributes as claims for a Claims Provider Trust in Windows Server 2016.

  3. Right-click the selected trust, and then click Edit Claim Rules. Screenshot that shows where to select Edit Claim Rules when you create a rule to send LDAP attributes as claims for a Claims Provider Trust in Windows Server 2016.

  4. In the Edit Claim Rules dialog box, under Acceptance Transform Rules click Add Rule to start the rule wizard. Screenshot that shows where to select Add Rule when you create a rule to send LDAP attributes as claims for a Claims Provider Trust in Windows Server 2016.

  5. On the Select Rule Template page, under Claim rule template, select Send LDAP Attributes as Claims from the list, and then click Next. Screenshot that shows where to select Send LDAP Attributes as Claims when you create a rule in Windows Server 2016.

  6. On the Configure Rule page under Claim rule name type the display name for this rule, select the Attribute Store, and then select the LDAP attribute and map it to the outgoing claim type. Screenshot that shows where to type the claim rule name when you create a rule to send LDAP attributes as claims for a Claims Provider Trust in Windows Server 2016.

  7. Click the Finish button.

  8. In the Edit Claim Rules dialog box, click OK to save the rule.

To create a rule to send LDAP attributes as claims for Windows Server 2012 R2

  1. In Server Manager, click Tools, and then select AD FS Management.

  2. In the console tree, under AD FSAD FS\Trust Relationships, click either Claims Provider Trusts or Relying Party Trusts, and then click a specific trust in the list where you want to create this rule.

  3. Right-click the selected trust, and then click Edit Claim Rules. Screenshot that shows where to select Edit Claim Rules when you create a rule to send LDAP attributes as claims for Windows Server 2012 R2.

  4. In the Edit Claim Rules dialog box, select one the following tabs, depending on the trust that you are editing and which rule set you want to create this rule in, and then click Add Rule to start the rule wizard that is associated with that rule set:

    • Acceptance Transform Rules

    • Issuance Transform Rules

    • Issuance Authorization Rules

    • Delegation Authorization Rules Screenshot that shows where to select Add Rule create a rule to send LDAP attributes as claims for Windows Server 2012 R2.

  5. On the Select Rule Template page, under Claim rule template, select Send LDAP Attributes as Claims from the list, and then click Next. Screenshot that shows where to select Send LDAP Attributes as Claims create a rule for Windows Server 2012 R2.

  6. On the Configure Rule page under Claim rule name type the display name for this rule, under Attribute store select Active Directory, and under Mapping of LDAP attributes to outgoing claim types select the desired LDAP Attribute and corresponding Outgoing Claim Type types from the drop-down lists.

    You have to select a new LDAP attribute and outgoing claim type pair on a different row for each Active Directory attribute that you want to issue a claim for as part of this rule. create rule

  7. Click the Finish button.

  8. In the Edit Claim Rules dialog box, click OK to save the rule.

Additional references

Configure Claim Rules

Checklist: Creating Claim Rules for a Relying Party Trust

Checklist: Creating Claim Rules for a Claims Provider Trust

When to Use an Authorization Claim Rule

The Role of Claims

The Role of Claim Rules