Table of contents
TOC
Collapse the table of content
Expand the table of content

Create a Rule to Send an AD FS 1.x Compatible Claim

Bill Mathers|Last Updated: 2/10/2017

Applies To: Windows Server 2016, Windows Server 2012 R2

In situations in which you are using Active Directory Federation Services (AD FS) to issue claims that will be received by federation servers running AD FS 1.0 (Windows Server 2003 R2) or AD FS 1.1 (Windows Server 2008 or Windows Server 2008 R2), you must do the following:

Depending on the needs of your organization, use one of the following procedures to create an AD FS 1.x compatible NameID claim:

  • Create this rule to issue an AD FS 1.x Name ID claim using the Pass Through or Filter an Incoming Claim rule template

  • Create this rule to issue an AD FS 1.x Name ID claim using the Transform an Incoming Claim rule template. You can use this rule template in situations in which you want to change the existing claim type to a new claim type that will work with AD FS 1. x claims.

Note

For this rule to work as expected, make sure that the relying party trust or claims provider trust where you are creating this rule has been configured to use the AD FS 1.0 and 1.1 profile.

To create a rule to issue an AD FS 1.x Name ID claim using the Pass Through or Filter an Incoming Claim rule template on a Relying Party Trust in Windows Server 2016

  1. In Server Manager, click Tools, and then select AD FS Management.

  2. In the console tree, under AD FS, click Relying Party Trusts. create rule

  3. Right-click the selected trust, and then click Edit Claim Issuance Policy. create rule

  4. In the Edit Claim Issuance Policy dialog box, under Issuance Transform Rules click Add Rule to start the rule wizard. create rule

  5. On the Select Rule Template page, under Claim rule template, select Pass Through or Filter an Incoming Claim from the list, and then click Next.
    create rule

  6. On the Configure Rule page, type a claim rule name.

  7. In Incoming claim type, select Name ID in the list.

  8. In Incoming name ID format, select one of the following AD FS 1.x-compatible claim formats from the list:

    • UPN

    • E-Mail

    • Common Name

  9. Select one of the following options, depending on the needs of your organization:

    • Pass through all claim values

    • Pass through only a specific claim value

    • Pass through only claim values that match a specific email suffix value

    • Pass through only claim values that start with a specific value
      create rule

  10. Click Finish, and then click OK to save the rule.

To create a rule to issue an AD FS 1.x Name ID claim using the Pass Through or Filter an Incoming Claim rule template on a Claims Provider Trust in Windows Server 2016

  1. In Server Manager, click Tools, and then select AD FS Management.

  2. In the console tree, under AD FS, click Claims Provider Trusts. create rule

  3. Right-click the selected trust, and then click Edit Claim Rules. create rule

  4. In the Edit Claim Rules dialog box, under Acceptance Transform Rules click Add Rule to start the rule wizard. create rule

  5. On the Select Rule Template page, under Claim rule template, select Pass Through or Filter an Incoming Claim from the list, and then click Next.
    create rule

  6. On the Configure Rule page, type a claim rule name.

  7. In Incoming claim type, select Name ID in the list.

  8. In Incoming name ID format, select one of the following AD FS 1.x-compatible claim formats from the list:

    • UPN

    • E-Mail

    • Common Name

  9. Select one of the following options, depending on the needs of your organization:

    • Pass through all claim values

    • Pass through only a specific claim value

    • Pass through only claim values that match a specific email suffix value

    • Pass through only claim values that start with a specific value
      create rule

  10. Click Finish, and then click OK to save the rule.

To create a rule to transform an incoming claim on a Relying Party Trust in Windows Server 2016

  1. In Server Manager, click Tools, and then select AD FS Management.

  2. In the console tree, under AD FS, click Relying Party Trusts. create rule

  3. Right-click the selected trust, and then click Edit Claim Issuance Policy. create rule

  4. In the Edit Claim Issuance Policy dialog box, under Issuance Transform Rules click Add Rule to start the rule wizard. create rule

  5. On the Select Rule Template page, under Claim rule template, select Transform an Incoming Claim from the list, and then click Next.
    create rule

  6. On the Configure Rule page, type a claim rule name.

  7. In Incoming claim type, select the type of incoming claim that you want to transform in the list.

  8. In Outgoing claim type, select Name ID in the list.

  9. In Outgoing name ID format, select one of the following AD FS 1.x-compatible claim formats from the list:

    • UPN

    • E-Mail

    • Common Name

  10. Select one of the following options, depending on the needs of your organization:

    • Pass through all claim values

    • Replace an incoming claim value with a different outgoing claim value

    • Replace incoming e-mail suffix claims with a new e-mail suffix
      create rule

  11. Click Finish, and then click OK to save the rule.

To create a rule to transform an incoming claim on a Claims Provider Trust in Windows Server 2016

  1. In Server Manager, click Tools, and then select AD FS Management.

  2. In the console tree, under AD FS, click Claims Provider Trusts. create rule

  3. Right-click the selected trust, and then click Edit Claim Rules. create rule

  4. In the Edit Claim Rules dialog box, under Acceptance Transform Rules click Add Rule to start the rule wizard. create rule

  5. On the Select Rule Template page, under Claim rule template, select Transform an Incoming Claim from the list, and then click Next.
    create rule

  6. On the Configure Rule page, type a claim rule name.

  7. In Incoming claim type, select the type of incoming claim that you want to transform in the list.

  8. In Outgoing claim type, select Name ID in the list.

  9. In Outgoing name ID format, select one of the following AD FS 1.x-compatible claim formats from the list:

    • UPN

    • E-Mail

    • Common Name

  10. Select one of the following options, depending on the needs of your organization:

    • Pass through all claim values

    • Replace an incoming claim value with a different outgoing claim value

    • Replace incoming e-mail suffix claims with a new e-mail suffix
      create rule

  11. Click Finish, and then click OK to save the rule.

To create a rule to issue an AD FS 1.x Name ID claim using the Pass Through or Filter an Incoming Claim rule template on Windows Server 2012 R2

  1. In Server Manager, click Tools, and then click AD FS Management.

  2. In the console tree, under AD FS\Trust Relationships, click either Claims Provider Trusts or Relying Party Trusts, and then click a specific trust in the list where you want to create this rule.

  3. Right-click the selected trust, and then click Edit Claim Rules.
    create rule

  4. In the Edit Claim Rules dialog box, select one the following tabs, depending on the trust you are editing and which rule set you want to create this rule in, and then click Add Rule to start the rule wizard that is associated with that rule set:

    • Acceptance Transform Rules

    • Issuance Transform Rules

    • Issuance Authorization Rules

    • Delegation Authorization Rules
      create rule

  5. On the Select Rule Template page, under Claim rule template, select Pass Through or Filter an Incoming Claim from the list, and then click Next.
    create rule

  6. On the Configure Rule page, type a claim rule name.

  7. In Incoming claim type, select Name ID in the list.

  8. In Incoming name ID format, select one of the following AD FS 1.x-compatible claim formats from the list:

    • UPN

    • E-Mail

    • Common Name

  9. Select one of the following options, depending on the needs of your organization:

    • Pass through all claim values

    • Pass through only a specific claim value

    • Pass through only claim values that match a specific email suffix value

    • Pass through only claim values that start with a specific value
      create rule

  10. Click Finish, and then click OK to save the rule.

To create a rule to issue an AD FS 1.x Name ID claim using the Transform an Incoming Claim rule template in Windows Server 2012 R2

  1. In Server Manager, click Tools, and then click AD FS Management.

  2. In the console tree, under AD FS\Trust Relationships, click either Claims Provider Trusts or Relying Party Trusts, and then click a specific trust in the list where you want to create this rule.

  3. Right-click the selected trust, and then click Edit Claim Rules.
    create rule

  4. In the Edit Claim Rules dialog box, select one the following tabs, which depends on the trust that you are editing and in which rule set you want to create this rule, and then click Add Rule to start the rule wizard that is associated with that rule set:

    • Acceptance Transform Rules

    • Issuance Transform Rules

    • Issuance Authorization Rules

    • Delegation Authorization Rules
      create rule

  5. On the Select Rule Template page, under Claim rule template, select Transform an Incoming Claim from the list, and then click Next.
    create rule

  6. On the Configure Rule page, type a claim rule name.

  7. In Incoming claim type, select the type of incoming claim that you want to transform in the list.

  8. In Outgoing claim type, select Name ID in the list.

  9. In Outgoing name ID format, select one of the following AD FS 1.x-compatible claim formats from the list:

    • UPN

    • E-Mail

    • Common Name

  10. Select one of the following options, depending on the needs of your organization:

    • Pass through all claim values

    • Replace an incoming claim value with a different outgoing claim value

    • Replace incoming e-mail suffix claims with a new e-mail suffix
      create rule

  11. Click Finish, and then click OK to save the rule.

Additional references

Configure Claim Rules

Checklist: Creating Claim Rules for a Relying Party Trust

Checklist: Creating Claim Rules for a Claims Provider Trust

When to Use an Authorization Claim Rule

The Role of Claims

The Role of Claim Rules

© 2017 Microsoft