question

DTSupport-3094 avatar image
0 Votes"
DTSupport-3094 asked DTSupport-3094 answered

ADFS RP to Azure AD RP Migration

Hello,

We are in the process of moving our Relay Parties trusts from on prem ADFS to Azure AD. I have a party trust setup with WebEx and it inlcudes some custom claim rules. Can someone help me in the proper formatting of these claims in Azure AD SSO?

  1. => issue(Type = "optionalparams", Value = "MW=Pro");

  2. => issue(Type = "optionalparams", Value = "FL=OFF");

  3. => issue(Type = "optionalparams", Value = "RC=OFF");

  4. => issue(Type = "optionalparams", Value = "RE=OFF");

  5. c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
    => issue(store = "Active Directory", types = ("updateTimeStamp"), query = ";whenChanged;{0}", param = c.Value);


I am not sure if any of these are supported in Azure AD SSO. If so assitance in the proper formatting and setup would be greatly appreciated.

Thank You

azure-active-directoryadfs
· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

piaudonn avatar image piaudonn ·

Note that your rule number 5 is a tad problematic. The attribute whenChanged is not replicated. So it will have a different value depending on which DC ADFS has used for the LDAP query. Also, if you promote a new DC, all whenChanged attribute will show the date of promotion of the DC you query instead of the "real" time at which the object was modified. There are ways to query the exact time, and even the exact attribute which was last touched but we cannot do it built-in with ADFS (you would need to create a custom attribute store).

0 Votes 0 ·

4 Answers

jLight avatar image
0 Votes"
jLight answered

  1. Have you checked your app activity page for compatibility? https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/migrate-adfs-application-activity

  2. Check this page too for mapping each field: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/migrate-adfs-apps-to-azure


5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

jLight avatar image
0 Votes"
jLight answered

But you would add them under custom attribute.

7207-chrome-tcirqx8b6l.png



chrome-tcirqx8b6l.png (15.8 KiB)
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DTSupport-3094 avatar image
0 Votes"
DTSupport-3094 answered

Hi JLight,

Thank you for the response. App compatibility shows everything is green and ready to move.

I think the custom attributes is what I was looking for and if their would be any special formatting, but from your example, looks pretty straight forward.

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DTSupport-3094 avatar image
0 Votes"
DTSupport-3094 answered

I have another question surrounding the "optionalparams" as the name.

When adding that claim its only allowing a single "optionalparams" name. I cannot add another claim name "optionalparams"

Based on the values, would use the MW as the name and the value as Pro7591-capture.png



capture.png (16.5 KiB)
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.