Sending LDAP Attributes as Claims

Article
07/02/2012

Applies To: Active Directory Federation Services (AD FS) 2.0

Using the Send LDAP Attribute as Claims rule template, you can select attributes from a Lightweight Directory Attribute Protocol (LDAP) attribute store, such as Active Directory Domain Services (AD DS), to send as claims to the relying party. Multiple attributes can be sent as multiple claims with a single rule.

For example, you can use this rule template to create a rule that will extract attribute values for authenticated users from the Active Directory attributes displayName and telephoneNumber and then send those values as two different outgoing claims. You can also use this rule to send all of the user's group memberships. If you want to send only individual group memberships, use the Sending Group Membership as a Claim rule template.

You can use this rule template for creating acceptance transform rules on a claims provider trust to look up account attributes in AD DS or Active Directory Lightweight Directory Services (AD LDS) for incoming users from the claims provider. In the issuance transform rules of a relying party trust, you can use this rule template to send only those claims to a relying party that are in an AD DS or AD LDS attribute store.

This rule template takes an incoming Windows Account Name claim and looks up the corresponding user account in AD DS or AD LDS by comparing it against the LDAP attribute samAccountname. Therefore, this rule requires a Windows Account Name claim to be present in the input claim set of the rules. For more information about the input claim set of rules, see Using Claim Rules for Issuing Claims.

Sending LDAP Attributes as Claims

See Also

Other Resources

Additional resources