Claim Rules
After a user is authenticated, AD FS claim rules specify the data attributes and format that will be sent to HMP in the SAML response. The Edit Claim Rules wizard has three panes:
Since HMP requires a User Principal Name element, you need to create a rule that extracts the user's UPN (i.e. the user's Windows Account Name) from Active Directory. The Issuance Transform Rules pane allows you to do this. See the following section for details.
You can establish custom access rules (whitelist/blacklist) under Issuance Authorization Rules.
The Delegation Authorization Rules pane is not used for HMP SSO.
Create an Issuance Transform Rule for the UPN Element
- On the Issuance Transform Rules pane, click Add Rule.
- Under Claim rule template, choose Pass Through or Filter an Incoming Claim.
- Click Next to continue. Give the claim rule a name, and choose UPN from the Incoming claim type list, and specify any necessary pass through values.
- Click Finish.
- Click Apply, then OK.
You should see the new Relying Party Trust in the main window of the AD FS snap-in. Note that you can make changes to the Claim Rules for that trust or its Properties by right-clicking:
