Appendix

ADFS Claim Descriptions

A pre-requisite to configuring the ADFS Relaying Party Trust for Identity Server is that you configure the following Claim Description, if your ADFS has been configured to talk to Azure AD, this may already be present.

Key Name Value
Source user ID http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID

ADFS Custom Rule

This is the custom rule to apply to the Identity Server ADFS Relying Trust.

c:[Type ==
"http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname",
Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types =
("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
"http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"), 
query = ";givenName,sn,displayName,mail,userPrincipalName,sAMAccountName,objectGUID;{0}", param = c.Value);