Overview
This article provides step-by-step instructions on how to add claim to retrieve all email addresses if there are users who have User Principal Name different from SMTP address in the system.
How to add claim to retrieve all email addresses
Option 1: Add claim as LDAP attributes
1. In AD FS manager, choose “Claim Description” then click “Add Claim Description…”:
2. In the pop-up window, enter Name and Claim Type for new Claim Descriptions
3. Go back to Application Groups folder:
Right click on Application Groups we created, select “Properties”. In properties window, click “Web Api Application”, then click [Edit].
4. In the next screen, select “Issuance Transform Rules” tab, then click “Add Rule…” button.
5. In the next screen, select “Send LDAP Attribute as Claims” then click [Next].
6. In the next screen, set up Claim Rule as shown in the following figure:
- In “Attribute store” field: select “Active Directory”.
- In “LDAP Attributes” column: add Proxy-Addresses attribute.
- In “Outgoing Claim Type” column: select the claim rule created in step 2.
Then click [Finish] and [Save] configuration.
Option 2: Add Claim by custom rule
NOTE: Step 1 to 4 of this option are similar to those of Option 1. Refer to Option 1 then continue with step 5.
5. In the next screen, select “Send Claim Using a Custom Rule” then click [Next]:
6. In the next screen, fill in Custom rule name and setting rule:
The custom rule should be entered with the following text:
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("verified_secondary_email"), query = ";proxyAddresses;{0}", param = c.Value);
Then click [Finish] and [Save].
Properties
Applies to: RC 4.2+
Reference: TFS #339238
Knowledge base ID: 0323
Last updated: Apr 19, 2023
Anh Bach Duy
Comments