AD FS issues tokens that contain set of claims. You must configure the claim issuance policy so that AD FS passes correct claims to Keycloak and receives correct claims from Keycloak.
Procedure
Log in to the AD FS Manager as an administrator.
Navigate to Relying Party Trust.
Right click on the relying party that you created for Keycloak and then select Edit Claim Issuance Policy from the menu.
Click Add Rule and add a new rule with the following parameters:
In Rule template, select Send LDAP Attributes as Claim.
In Claim rule name, type a name of your choice for the rule.
In Attribute store, select Active Directory.
Configure the mapping of LDAP attributes to outgoing claim types as in the following table:
LDAP Attribute
Outgoing Claim Type
Given-Name
Given Name
Surname
Surname
E-Mail-Addresses
E-Mail Address
Click Add Rule and add a new rule with the following parameters:
In Rule template, select Transform an Incoming Claim.
In Claim rule name, type Name ID.
In Incoming claim type, select E-Mail Address.
In Outgoing claim type, select Name ID.
In Outgoing name ID format, select Email.
Select Pass through all claim values.
Click Add Rule and add a new rule with the following parameters:
In Rule template, select Send Group Membership as a Claim.
In Claim rule name, type Group: user.
In User's group, select a group with users who must use SSO capabilities from your active directory.
In Outgoing claim type, select Group.
In Outgoing claim value, select user.
Click Add Rule and add a new rule with the following parameters:
In Rule template, select Send Group Membership as a Claim.
In Claim rule name, type Group: admin.
In User's group, select a group with administrative users from your active directory.
