• Single Sign-on Solution

  1. Help Center
  2. Single Sign-on Solution
  3. User Guide
  4. AD FS Installation and Provisioning
  5. Provisioning AD FS
  6. Editing Claim Rules

Editing Claim Rules

  1. In the left pane of the AD FS page, choose AD FS > Trust Relationships > Relying Party Trusts, right-click on the display name of the created relying party trust, and choose Edit Claim Rules.


  2. In the Edit Claim Rules for Open Telekom Cloud dialog box, click the Issuance Transform Rules tab, and click Add Rule.


  3. Select Send Claims Using a Custom Rule and click Next.


  4. Add the following two claim rules.




    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]

    => add(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"), query = ";sAMAccountName;{0}", param = c.Value);


    c:[Type == " http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier "]

    => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "https://auth.otc.t-systems.com");

  5. Select Send Group Membership as a Claim and click Next.


  6. Add another two claim rules. Map user groups mydomain\OTC-ADFS-admin and mydomain\OTC-ADFS-user respectively to an outgoing claim value, and specify the claim type as Group.


  7. Select Send LDAP Attributes as a Claim and add one more claim rule.


  8. Review the claim rules you just created and click OK.