Attributes for ADFS

When you configure Single Sign-On using LDAP for ADFS, in addition to authentication attributes, your third-party SSO provider can send additional attributes to the Messaging Platform through the Assertion Consumer Service (ACS) URL or Callback URL.

If you are using a built-in app for SSO, such as Windows Azure for WS-Federation protocol, or OneLogin for SAML protocol, required attributes are already configured for when you add the app to your SSO provider admin console. This topic describes the required and optional attributes when configuring SSO in the Enterprise Admin Console using the generic Other provider option available for either WS-Federation or SAML SSO protocols.

The following data is an example of attribute data passed to in the callback URL.

<Attribute Name="FirstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="First Name">
<Attribute Name="LastName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Last Name">
<Attribute Name="DisplayName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Display Name">
  <AttributeValue>Michael Mehra</AttributeValue>
<Attribute Name="EmailAddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Email">

These attributes are optional except for the EmailAddress, which is required. The Email Address attribute uses the following nameId format:

SAML 2.0:
NameID Format="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"

SAML 1.1:
NameID Format="urn:oasis:names:tc:SAML:1.1:nameid:format:emailAddress

Mapping Attributes in ADFS

ADFS is a service provided by Microsoft as a standard role for Windows Server that provides a web login using existing Active Directory credentials. When using SAML or WS-Federation protocols to log on with ADFS, you can pass other values in addition to the authentication values.

The attribute values are defined as Claim Rules in the Relying Party Trust dialog in the SQL Server admin console. To edit the Claim Rules, select the Relying Party Trusts folder in AD FS Management, and then click Edit Claim Rules from the Actions sidebar. To add a new rule, click Add Rule, and then select the Send LDAP Attributes template. Enter the following mapping values:

  • SAML 2.0
    • LDAP Attribute: nameId
    • Claim Attribute: uri
  • SAML 1.1
    • LDAP Attribute: nameId
    • Claim Attribute: emailAddress

Next Steps

If you need help defining the attributes for ADFS, contact Support.