Define the Claim Issuance Policy
You need to define the claim issuance policy.
Before you start you need to create the Relying Party Trusts as
described in Create Relying Party Trust in ADFS.
- From the right menu pane of the Relying Party Trusts, clickEdit Claim Issuance Policy
- ClickAdd Rule.
- In the Add Transform Claim Rule Wizard, selectTransform an Incoming Claimfrom the drop down list.
- ClickNext.
- In the Configure Claim Rule page, type the Claim rule nameWindowsAccountNamewhich will pass the user login name in AD and select the Windows account name for the Incoming and Outgoing claim type.
- ClickFinish.
- Add another claim rule which will pass the AD user account attributes to Cortex XSOAR. This step is required to map the user group membership, full name, email, phone and other LDAP attributes.
- From the right menu pane of the Relying Party Trusts, clickEdit Claim Issuance Policy
- ClickAdd Rule.
- In the Add Transform Claim Rule Wizard, selectSend LDAP Attributes as Claimsfrom the drop down list.
- ClickNext.
- In the Configure Claim Rule page, type a claim rule name, select Active Directory from the Attribute store drop down list and map the required fields. Note that the user group attribute is mandatory if you wish to map the user group to the Cortex XSOAR user role.
- ClickFinishand then clickOKto create the claim rules.
- Open PowerShell and make sure the IDP Sign-on page is enabled
If one of these setting are set to false, enable it by typingSet-AdfsProperties -<Property Name RelayState or EnableIdp> $True - Verify that the ADFS IDP Sign-on page is working by browsing to the ADFS service portal URL, in our example: https://demistodev.local/adfs/ls/idpinitiatedsignon.aspx
- Continue with Configure the SAML 2.0 Integration for ADFS.
