(2011-10-24) Configuring The New Five Claim Types In ADFS After Installing Rollup Package 1 For ADFS v2.0
Posted by Jorge on 2011-10-24
As I mentioned in this blog post, Microsoft has released a rollup package 1 for ADFS v2.0 which introduces 5 new claim types. However, right after installing the rollup package, rebooting the servers (ADFS STS(s) and ADFS PRX(s), if applicable) and opening the ADFS v2.0 MMC you do not see the new claim types as you might expect. Below you see the result on my ADFS v2.0 STS box after installing the rollup package 1. And as you can see the 5 new claim types are not available.
REMARK: All the other claim types you do not recognize, were created by me as custom claim types.
Figure 1: Claim Types (a.k.a. Claim Descriptions) In ADFS v2.0 (Default And Custom)
It turns out the new Claim Types are not created automatically. Therefore YOU must create them within ADFS v2.0.
For every new Claim Type you must specify the following information:
- Display Name (mandatory)
- Claim Identifier(mandatory)
- Selection Of “Publish this claim description in federation metadata as a claim type that this Federation Service can accept” (optional)
- Selection Of “Publish this claim description in federation metadata as a claim type that this Federation Service can send” (optional)
Figure 2: Creating A New Claim Type/Description Within ADFS v2.0
In the end my the new Claim Types/Descriptions look like as shown below:
Figure 3: Claim Types (a.k.a. Claim Descriptions) In ADFS v2.0 (Default And Custom) Now Including The New Claim Types/Descriptions
In a Sharepoint 2010 webpart that lists all the claims issued you can see the user passed through the ADFS Proxy and is therefore external to the company network. The value shows the NetBIOS name of the ADFS Proxy Server and just by the presence of the claim you can make additional decisions in for example the Issuance Authorization Rules.
Figure 4: Issued Claim Types Listed By A Sharepoint 2010 WebPart – Showing The ID Passed Through An ADFS Proxy Server
Remember that because this claim is included it does not mean it is an external user, it could be though! However, an internal user outside of the internal network that also passes through the ADFS Proxy Server also gets this claim!
REMARK: also check out the following post “Limiting Access to Office 365 Services Based on the Location of the Client”
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########