Configuring ADFS to Send Claims Using a Custom Rule

To complete the prerequisites for Jive for SharePoint, an ADFS administrator with IT expertise needs to send claims using a custom rule.

The following steps should be performed by the ADFS administrator with IT expertise.

  1. Open up the ADFS console.
  2. Click trust relationships and then right-click relying party trust > Add Relying Party Trust... as shown in the following image:



  3. Open the Jive URL in a new tab and add "saml/metadata" to the end:
    https://giljive.eng.jiveland.com:8443/saml/metadata
  4. If the file is not automatically downloaded as xml, download and rename it with an XML extension.
  5. Back in the ADFS Console, click Select Data Source > Import data about the relying third party from a file as shown in the following image:



  6. Type or browse to the Federation metadata file location, and then click Next.
  7. Click Specify Display Name and enter the display name.
  8. Click Configure Multi-factor > I do not want to configure multi-factor... > Next.
  9. Select Permit all users to access this relying third party > Next.
  10. In the Ready to Add Trust step, just click Next.
  11. In the Finish Step, select the Open the Edit Claims Rule dialog for this relying party trust when this wizard closes option.
  12. When the Edit Claims Rules for Jive SSO Integration dialog opens, click Add Rule... as shown in the following image:



  13. In the Choose Rule Type step, select Send LDAP Attribute as Claims > Next.
  14. In the Configure Claim Rule step, type the Claim rule name, select Active Directory, and then select or type the following information in the table exactly as it appears below for Mapping of LDAP attributes to outgoing claim types:
    LDAP Attribute Outgoing Claim Type
    ObjectGUID Name ID
    Note: There is a space after Name.
    Given-Name Given Name
    Surname Surname
    E-Mail-Addresses E-Mail Address
  15. Click Finish.
  16. Once again, use the Edit Claims Rules for Jive SSO Integration dialog to add a new rule by clicking Add Rule....
  17. In the Choose Rule Type step, select Send Claims Using a Custom Rule > Next.
  18. Type in the following text in the Custom Rule text box, making sure to customize the following for your environment:
    • adfs3 - your ADFS server name.
    • iqc01.com - the correct domain.
    • ADFSClaimsID - this is the value you have entered as the Claims ID value in the SAML in the Jive Admin Console.

      The transformation rule has four parts:

      For more information on Claim Types, see ClaimTypes Memebers.
      • Type == "…": the source of the information defined as schema URL.
        For e-mail address:
        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
        For User Principle Name (UPN):
        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn
      • Type = "ADFSClaimsID": name of the attribute ADFS sends to Jive on successful login. ADFSClaimsID is the name of the user mapping field to set in Jive’s SAML Admin Console. ADFS and Jive must match.
      • Value = "i:05.t|adfs3.mydomain.com|" + c.Value: this is the Claims ID realized by SharePoint for user identification.
      • ValueType = c.ValueType: you can leave as is. The type is not used actively, it is a text field in Jive user profile.
      Transformation Rules Examples
      • E-mail-based ClaimsID
        c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"] => issue(Type = "ADFSClaimsID", Value = "i:05.t|adfs3.mydomain.com|" + 
        c.Value, ValueType = c.ValueType);

        Result: i:05.t|adfs3.mydomain.com|user@mydomain.com

      • Classic NTLM ClaimsID
        c:[Type == " http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"] => issue(Type = "ADFSClaimsID", Value = " i:0#.w|mydomain\" + 
        c.Value, ValueType = c.ValueType);

        Result: i:0#.w|mydomain\user1

        Customize these rules per customer to match the right Claims ID supported by the customer's SharePoint environment. The Claims ID can change from the examples above, except for the classic NTLM Claims ID that is standard when using NTLM authentication.

        See the User Diagnostic script to verify that Claims ID is supported by SharePoint.

  19. Click OK and then Finish.