ADFS Claim Rule - If UPN with .co.kr domain, then send '.com' domain to Active Directory, Possible?

%3CLINGO-SUB%20id%3D%22lingo-sub-212063%22%20slang%3D%22en-US%22%3EADFS%20Claim%20Rule%20-%20If%20UPN%20with%20.co.kr%20domain%2C%20then%20send%20'.com'%20domain%20to%20Active%20Directory%2C%20Possible%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-212063%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1.%20I'm%20using%20Active%20Directory%20(on-prem)%20with%20abc.com%20domain%2C%20but%20it's%20not%20verified.%3C%2FP%3E%3CP%3E2.%20I%20already%20synced%20with%20AAD%20and%20the%20AAD%20has%20a%20verified%20domain(abc.co.kr)%3C%2FP%3E%3CP%3E3.%20UPN%20from%20on-prem%20AD%20had%20been%20synced%20as%20'1%40abc.co.kr'%2C%20'2%40abc.co.kr'%20following%20MOERA%20policy.%3C%2FP%3E%3CP%3E4.%20Configured%20ADFS%20to%20use%20O365.%3C%2FP%3E%3CP%3E5.%20When%20put%20%3CSTRONG%3E1%40abc.co.kr%3C%2FSTRONG%3Eto%20office.com%20login%20page%2C%20it%20redirects%20to%20ADFS%20login%20page(sts.abc.co.kr)%20and%20it%20said%20'i%3CSTRONG%3Envalid%20username%20or%20password%20information'%20when%20i%20put%20correct%20credentials%20for%20the%20account.%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EEnvironments%3C%2FP%3E%3CP%3EOnprem%20AD%20(abc.com)%3C%2FP%3E%3CP%3E%7C%3C%2FP%3E%3CP%3EADFS%20(sts.abc.co.kr)%3C%2FP%3E%3CP%3E%7C%3C%2FP%3E%3CP%3EAAD%20%2FO365%20(abc.co.kr%20-verified)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPerhaps%20we%20might%20find%20a%20solution%20by%20setting%20up%20an%20adfs%20clame%20rule...%20can%20you%20help%20me%20change%20the%26nbsp%3Binput%26nbsp%3B%20coming%20into%20abc.co.kr%20to%20abc.com%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-212063%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAuthentication%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-212457%22%20slang%3D%22en-US%22%3ERe%3A%20ADFS%20Claim%20Rule%20-%20If%20UPN%20with%20.co.kr%20domain%2C%20then%20send%20'.com'%20domain%20to%20Active%20Directory%2C%20Possib%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-212457%22%20slang%3D%22en-US%22%3E%3COL%3E%3CLI%3E%26nbsp%3BWhen%20you%20enter%201%40abc.co.kr%20it%20gets%20directed%20to%20ADFS%20-%20the%20domain%20part%20here%20is%20only%20used%20for%20that.%3C%2FLI%3E%3CLI%3EIn%20ADFS%20you%20need%20to%20use%20your%20%3CU%3Einternal%3C%2FU%3Eusername%201%40abc.com%20because%20the%20authentication%20is%20performed%20against%20your%20on-premises%20AD%3C%2FLI%3E%3CLI%3EIf%20you%20haven't%20configured%20manually%20otherwise%2C%20ADFS%20sents%20userprincipalname%201%40abc.com%20to%20Office%20365.%20However%2C%20this%20doesn't%20matter%2C%20because%20Office%20365%20is%20using%26nbsp%3Bonly%20the%20ImmutableId%20attribute%20to%20identify%20users%2C%20so%20no%20need%20to%20change%20claim%20issuance%20rules.%3C%2FLI%3E%3C%2FOL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%2C%20if%20you're%20having%20the%20error%20in%20phase%202.%2C%20just%20use%20the%201%40abc.com%26nbsp%3Bto%20login.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-212195%22%20slang%3D%22en-US%22%3ERe%3A%20ADFS%20Claim%20Rule%20-%20If%20UPN%20with%20.co.kr%20domain%2C%20then%20send%20'.com'%20domain%20to%20Active%20Directory%2C%20Possib%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-212195%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20not%20sure%20I%20completely%20understand%20your%20scenario%2C%20thus%20I%20cannot%20guarantee%20it%20will%20work%2C%20but%20if%20you%20need%20examples%20on%20how%20to%20manipulate%20the%20UPN%20claim%2C%20you%20can%20find%20some%20in%20this%20article%3A%20%3CA%20href%3D%22https%3A%2F%2Fblogs.technet.microsoft.com%2Fabizerh%2F2013%2F02%2F05%2Fsupportmultipledomain-switch-when-managing-sso-to-office-365%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fblogs.technet.microsoft.com%2Fabizerh%2F2013%2F02%2F05%2Fsupportmultipledomain-switch-when-managing-sso-to-office-365%2F%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Frequent Visitor

Hello, 

 

1. I'm using Active Directory (on-prem) with abc.com domain, but it's not verified.

2. I already synced with AAD and the AAD has a verified domain(abc.co.kr)

3. UPN from on-prem AD had been synced as '1@abc.co.kr', '2@abc.co.kr' following MOERA policy.

4. Configured ADFS to use O365.

5. When put 1@abc.co.kr to office.com login page, it redirects to ADFS login page(sts.abc.co.kr) and it said 'invalid username or password information' when i put correct credentials for the account.

 

Environments

Onprem AD (abc.com)

|

ADFS (sts.abc.co.kr)

|

AAD /O365 (abc.co.kr -verified)

 

Perhaps we might find a solution by setting up an adfs clame rule... can you help me change the input  coming into abc.co.kr to abc.com?

 

Thank you!

2 Replies

I'm not sure I completely understand your scenario, thus I cannot guarantee it will work, but if you need examples on how to manipulate the UPN claim, you can find some in this article: https://blogs.technet.microsoft.com/abizerh/2013/02/05/supportmultipledomain-switch-when-managing-ss...

  1.  When you enter 1@abc.co.kr it gets directed to ADFS - the domain part here is only used for that.
  2. In ADFS you need to use your internal username 1@abc.com because the authentication is performed against your on-premises AD
  3. If you haven't configured manually otherwise, ADFS sents userprincipalname 1@abc.com to Office 365. However, this doesn't matter, because Office 365 is using only the ImmutableId attribute to identify users, so no need to change claim issuance rules.

 

So, if you're having the error in phase 2., just use the 1@abc.com to login.