Home

ADFS Claim Rule - If UPN with .co.kr domain, then send '.com' domain to Active Directory, Possible?

%3CLINGO-SUB%20id%3D%22lingo-sub-212063%22%20slang%3D%22en-US%22%3EADFS%20Claim%20Rule%20-%20If%20UPN%20with%20.co.kr%20domain%2C%20then%20send%20'.com'%20domain%20to%20Active%20Directory%2C%20Possible%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-212063%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1.%20I'm%20using%20Active%20Directory%20(on-prem)%20with%20abc.com%20domain%2C%20but%20it's%20not%20verified.%3C%2FP%3E%3CP%3E2.%20I%20already%20synced%20with%20AAD%20and%20the%20AAD%20has%20a%20verified%20domain(abc.co.kr)%3C%2FP%3E%3CP%3E3.%20UPN%20from%20on-prem%20AD%20had%20been%20synced%20as%20'1%40abc.co.kr'%2C%20'2%40abc.co.kr'%20following%20MOERA%20policy.%3C%2FP%3E%3CP%3E4.%20Configured%20ADFS%20to%20use%20O365.%3C%2FP%3E%3CP%3E5.%20When%20put%20%3CSTRONG%3E1%40abc.co.kr%3C%2FSTRONG%3Eto%20office.com%20login%20page%2C%20it%20redirects%20to%20ADFS%20login%20page(sts.abc.co.kr)%20and%20it%20said%20'i%3CSTRONG%3Envalid%20username%20or%20password%20information'%20when%20i%20put%20correct%20credentials%20for%20the%20account.%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EEnvironments%3C%2FP%3E%3CP%3EOnprem%20AD%20(abc.com)%3C%2FP%3E%3CP%3E%7C%3C%2FP%3E%3CP%3EADFS%20(sts.abc.co.kr)%3C%2FP%3E%3CP%3E%7C%3C%2FP%3E%3CP%3EAAD%20%2FO365%20(abc.co.kr%20-verified)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPerhaps%20we%20might%20find%20a%20solution%20by%20setting%20up%20an%20adfs%20clame%20rule...%20can%20you%20help%20me%20change%20the%26nbsp%3Binput%26nbsp%3B%20coming%20into%20abc.co.kr%20to%20abc.com%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-212063%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAuthentication%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-212457%22%20slang%3D%22en-US%22%3ERe%3A%20ADFS%20Claim%20Rule%20-%20If%20UPN%20with%20.co.kr%20domain%2C%20then%20send%20'.com'%20domain%20to%20Active%20Directory%2C%20Possib%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-212457%22%20slang%3D%22en-US%22%3E%3COL%3E%3CLI%3E%26nbsp%3BWhen%20you%20enter%201%40abc.co.kr%20it%20gets%20directed%20to%20ADFS%20-%20the%20domain%20part%20here%20is%20only%20used%20for%20that.%3C%2FLI%3E%3CLI%3EIn%20ADFS%20you%20need%20to%20use%20your%20%3CU%3Einternal%3C%2FU%3Eusername%201%40abc.com%20because%20the%20authentication%20is%20performed%20against%20your%20on-premises%20AD%3C%2FLI%3E%3CLI%3EIf%20you%20haven't%20configured%20manually%20otherwise%2C%20ADFS%20sents%20userprincipalname%201%40abc.com%20to%20Office%20365.%20However%2C%20this%20doesn't%20matter%2C%20because%20Office%20365%20is%20using%26nbsp%3Bonly%20the%20ImmutableId%20attribute%20to%20identify%20users%2C%20so%20no%20need%20to%20change%20claim%20issuance%20rules.%3C%2FLI%3E%3C%2FOL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%2C%20if%20you're%20having%20the%20error%20in%20phase%202.%2C%20just%20use%20the%201%40abc.com%26nbsp%3Bto%20login.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-212195%22%20slang%3D%22en-US%22%3ERe%3A%20ADFS%20Claim%20Rule%20-%20If%20UPN%20with%20.co.kr%20domain%2C%20then%20send%20'.com'%20domain%20to%20Active%20Directory%2C%20Possib%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-212195%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20not%20sure%20I%20completely%20understand%20your%20scenario%2C%20thus%20I%20cannot%20guarantee%20it%20will%20work%2C%20but%20if%20you%20need%20examples%20on%20how%20to%20manipulate%20the%20UPN%20claim%2C%20you%20can%20find%20some%20in%20this%20article%3A%20%3CA%20href%3D%22https%3A%2F%2Fblogs.technet.microsoft.com%2Fabizerh%2F2013%2F02%2F05%2Fsupportmultipledomain-switch-when-managing-sso-to-office-365%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fblogs.technet.microsoft.com%2Fabizerh%2F2013%2F02%2F05%2Fsupportmultipledomain-switch-when-managing-sso-to-office-365%2F%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Lee chungdu
Frequent Visitor

Hello, 

 

1. I'm using Active Directory (on-prem) with abc.com domain, but it's not verified.

2. I already synced with AAD and the AAD has a verified domain(abc.co.kr)

3. UPN from on-prem AD had been synced as '1@abc.co.kr', '2@abc.co.kr' following MOERA policy.

4. Configured ADFS to use O365.

5. When put 1@abc.co.kr to office.com login page, it redirects to ADFS login page(sts.abc.co.kr) and it said 'invalid username or password information' when i put correct credentials for the account.

 

Environments

Onprem AD (abc.com)

|

ADFS (sts.abc.co.kr)

|

AAD /O365 (abc.co.kr -verified)

 

Perhaps we might find a solution by setting up an adfs clame rule... can you help me change the input  coming into abc.co.kr to abc.com?

 

Thank you!

2 Replies

I'm not sure I completely understand your scenario, thus I cannot guarantee it will work, but if you need examples on how to manipulate the UPN claim, you can find some in this article: https://blogs.technet.microsoft.com/abizerh/2013/02/05/supportmultipledomain-switch-when-managing-ss...

  1.  When you enter 1@abc.co.kr it gets directed to ADFS - the domain part here is only used for that.
  2. In ADFS you need to use your internal username 1@abc.com because the authentication is performed against your on-premises AD
  3. If you haven't configured manually otherwise, ADFS sents userprincipalname 1@abc.com to Office 365. However, this doesn't matter, because Office 365 is using only the ImmutableId attribute to identify users, so no need to change claim issuance rules.

 

So, if you're having the error in phase 2., just use the 1@abc.com to login.

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
50 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
32 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
15 Replies
Discussion - Updating our interface with Fluent touches
Elliot Kirk in Discussions on
102 Replies