Can I add any attribute of on-premise Active Directory to ID Token in ADFS?

0
votes

I have an ADFS 4.0 on Windows Server 2016.I found the following URL described about customizing ID Token receiving from ADFS.

https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-fs/development/customize-id-token-ad-fs-2016

According to the above URL,I guess that I can customize ID Token to add new claims extracted from any attributes in on-premise Active Directory to ID Token.For example, I guess that I can generate the following ID Token by defining ADFS Claim Rule Language.

{ "aud":"XXXX", "iss":"https://[ADFS FQDN]/adfs", "iat":1533099776, "exp":1533103376, "auth_time":1533099776, "nonce":"hoge", "sub":"XXXXXX", "upn":"user01@exapmle.com", "unique_name":"DEV\user01", "division":"ABC Department" }

The attribute "division" in ID Token as described above is one which is extracted from the attribute "division" in on-premise Active Directory and is added to ID Token.

My guess is correct?

1
openid-connectadfs

1 Answers

0
votes

Yes.

In the claims rule wizard, the dropdown entries for LDAP rules are actually editable so you could do it that way as well.

Note that if the contents of that attribute are empty, you will not get a claim.