I'm using an ADFS 2.1 (2012 R2) server to pass AD DS Claims (computed from a Kerberos Compound auth ticket - e.g. it has device claims inside of the presented user token) to an RP, as described below:<o:p></o:p>
http://technet.microsoft.com/en-us/library/hh831504.aspx<o:p></o:p>
This is a supported scenario, according to what little documentation I can find - unfortunately, the transform rules are hard to determine - the only guidance I've been able to find is this one paragraph from the below link (Using AD DS Claims with AD FS):http://technet.microsoft.com/en-us/library/dd807068.aspx<o:p></o:p>
If you are setting up the Dynamic Access Control scenario that
uses AD DS-issued claims, first create a transform rule on the claims provider
trust and in Incoming
claim type, type the name for the incoming claim or if a claim
description was previously created select it from the list. Second, in Outgoing claim type,
select the desired claim URL, and then create a transform rule on the relying
party trust to issue the device claim.
I have not been able to get the magic rules on the provider trust and RP trust to make this work – do anyone know of better documentation, or examples which may be able to help?<o:p></o:p>
Thanks!