Setting up a claim issuance policy

Ops Center Installation and Configuration Guide

Version
11.0.x
Audience
anonymous
Part Number
MK-99OPS001-23
Set up a claim issuance policy for the Common Services instance registered as a relying party in AD FS. The user attribute information imported when the user logs in to the Hitachi Ops Center Portal is transmitted to Common Services based on the claim issuance policy settings.
  1. Log in to the AD FS server.
  2. Select Start > Windows Administrative Tools > AD FS Management.
  3. From the tree on the left, select AD FS > Relying Party Trusts. In the middle pane, select the relying party trust for Common Services, and then in the right pane, click Edit Claim Issuance Policy....
    The Edit Claim Issuance Policy dialog box opens.
  4. On the Issuance Transform Rules tab, click Add Rule.
    The Add Transform Claim Rule Wizard dialog box opens.
  5. Select Transform an Incoming Claim for the claim rule template, and then click Next.
  6. Specify the following items:
    Claim rule name
    A name of your choice
    Outgoing claim type
    The Name ID
    Incoming claim type and Outgoing name ID format

    Depending on the value specified for NameID Policy Format in Registering AD FS with Common Services, specify the values as follows:

    Value specified for NameID Policy Format

    Value to specify for Incoming claim type

    Value to specify for Outgoing name ID format

    Windows Domain Qualified Name

    Windows account name

    Windows Qualified Domain Name

    Email

    Either of the following LDAP attributes for which an email address is registered in the system:

    • UPN (User-Principal-Name)
    • E-Mail Address

    Email

    Unspecified

    UPN

    UPN

    Pass through all claim values
    Select this item to turn it on.
  7. Click Finish.

    The claim rule is added to the Edit Claim Issuance Policy dialog box. The values specified here are transmitted to Common Services upon the following claim:

    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
  8. In the Edit Claim Issuance Policy dialog box, click Add Rule again.
    The Add Transform Claim Rule Wizard dialog box opens.
  9. Select Send LDAP Attributes as Claims for the claim rule template, and then click Next.
  10. Specify the following items:
    Claim rule name
    A name of your choice
    Attribute Store
    Active Directory
    Mapping of LDAP attributes to outgoing claim types

    Specify values for the following attributes:

    LDAP Attribute

    Value

    Either of the following LDAP attributes for which an email address is registered in the system:

    • User-Principal-Name
    • E-Mail-Addresses

    E-Mail Address

    Given-Name

    Given Name

    Surname

    Surname

    Token-Groups - Qualified by Domain Name

    Group

    Note: Make sure that the email address, surname, and given name of the Active Directory user for the Hitachi Ops Center Portal are set for the LDAP attributes that you specify. If this information is not set, the user cannot log in.
  11. Click Finish.

    The claim rule is added to the Edit Claim Issuance Policy dialog box. The values specified are transmitted to Common Services through the following claims:

    • E-Mail Address:
      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
    • Given Name:
      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
    • Surname:
      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
    • Group:
      http://schemas.xmlsoap.org/claims/Group
  12. In the Edit Claim Issuance Policy dialog box, change the order of priority to the following, and then click OK.
    1. The rule specified for the Send LDAP Attributes as Claims
    2. The rule specified for the Transform an Incoming Claim
  13. To make sure the specified information is correct, select AD FS > Service > Claim Descriptions.