...
@Rulename="Transform sAMAccountName to EPPN" c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"] => issue(Type = "urn:oid:1.3.6.1.4.1.5923.1.1.1.6", Value = c.Value, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/attributename"] = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri");
@Rulename="Transform EPPN & add scope"
c:[Type == "http://schemas.xmlsoap.org/claims/Group", Value == "Domain Users"]
=> issue(Type = "urn:oid:1.3.6.1.4.1.5923.1.1.1.6", Value = "member@yourdomain.edu", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/attributename"] = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri");
|
|---|
Example of eduPersonPrincipalName(EPPN) mapped to sAMAccountName. Like the above example, the EPPN needs to be unique not only to your organization but to others as well. The sAMAccountName doesn't have the domain value added, the below example you creates three custom rules. The first queries AD for sAMAccountName & upn, the second pulls the domain value from the upn, the third adds the domain value to the sAMAccountName and gives it the EPPN value.
@Rulename="Query AD for upn and sAMAccountName"c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] @Rulename="Obtain the domain from the upn"
@Rulename="Combine sAMAccountName with domain" |
|---|
Example of eduPersonAffiliation stored in title:
...