- Log in to the AD FS server.
- Select Start > Windows Administrative Tools > AD FS Management.
-
From the tree on the left, select AD FS > Relying Party Trusts. In the middle pane, select the relying party trust for Common
Services, and then in the right pane, click Edit Claim Issuance
Policy....
The Edit Claim Issuance Policy dialog box opens.
-
On the Issuance Transform Rules tab, click Add Rule.
The Add Transform Claim Rule Wizard dialog box opens.
- Select Transform an Incoming Claim for the claim rule template, and then click Next.
-
Specify the following items:
- Claim rule name
- A name of your choice
- Outgoing claim type
- The Name ID
- Incoming claim type and Outgoing name ID format
-
Depending on the value specified for NameID Policy Format in Registering AD FS with Common Services, specify the values as follows:
Value specified for NameID Policy Format
Value to specify for Incoming claim type
Value to specify for Outgoing name ID format
Windows Domain Qualified Name
Windows account name
Windows Qualified Domain Name
Email
Either of the following LDAP attributes for which an email address is registered in the system:
- UPN (User-Principal-Name)
- E-Mail Address
Email
Unspecified
UPN
UPN
- Pass through all claim values
- Select this item to turn it on.
-
Click Finish.
The claim rule is added to the Edit Claim Issuance Policy dialog box. The values specified here are transmitted to Common Services upon the following claim:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
-
In the Edit Claim Issuance Policy dialog box, click Add Rule again.
The Add Transform Claim Rule Wizard dialog box opens.
- Select Send LDAP Attributes as Claims for the claim rule template, and then click Next.
-
Specify the following items:
- Claim rule name
- A name of your choice
- Attribute Store
- Active Directory
- Mapping of LDAP attributes to outgoing claim types
Specify values for the following attributes:
LDAP Attribute
Value
Either of the following LDAP attributes for which an email address is registered in the system:
- User-Principal-Name
- E-Mail-Addresses
E-Mail Address
Given-Name
Given Name
Surname
Surname
Token-Groups - Qualified by Domain Name
Group
Note: Make sure that the email address, surname, and given name of the Active Directory user for the Hitachi Ops Center Portal are set for the LDAP attributes that you specify. If this information is not set, the user cannot log in.
-
Click Finish.
The claim rule is added to the Edit Claim Issuance Policy dialog box. The values specified are transmitted to Common Services through the following claims:
- E-Mail Address:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
- Given Name:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
- Surname:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
- Group:
http://schemas.xmlsoap.org/claims/Group
- E-Mail Address:
-
In the Edit Claim Issuance Policy dialog box, change the order of priority to the following, and then click OK.
- The rule specified for the Send LDAP Attributes as Claims
- The rule specified for the Transform an Incoming Claim
- To make sure the specified information is correct, select AD FS > Service > Claim Descriptions.
Set up a claim issuance policy for the Common Services instance registered as a relying party in AD FS. The user attribute information imported when the user logs in to the Hitachi Ops Center Portal is transmitted to Common Services based on the claim issuance policy settings.