1. Add Relying Party Trust

Open AD FS Management, add and configure "Relying Party Trust"

1.1 Click Add Relying Party Trust to open the wizard

1.2 On the Welcome page, select Claims aware and click Start

1.3 Click Selete Data Source: select Enter data about the relying party manually, click Next

1.4 Click Specify Display Name: input any Display name (such as sso-cas), click Next

1.5 Click Configure Certificate: According to the default configuration, click Next

1.6 Click Configure URL

select "Enable support for the SAML 2.0 WebSSO protocol" and enter the SP Assertion Consumer Service URL provided on the Admin Console page, as shown in the figure below

1.7 Click Choose Profile: Enter the SP Entity ID provided on the Admin Console page, as shown below

1.8 Follow the default configuration until it is completed.

2. Configure Claim Rules

2.1 Go back to the Relying Party Trust page, select Relying Party Trust you just added, and click Edit Claim Issuance Policy

2.2 On the Issuance Transform Rules tab, add email, name id, email-custom items

Note: Please pay attention to the order of "Order", please add in order

email Rule

• On the Choose Rule Type page, select "Send LDAP Attributes as Claims"
• On the Configure Claim Rule page, configure according to the following figure

name id Rule

• On the Choose Rule Type page, select "Transform an incoming Claim"
• On the Configure Claim Rule page, configure according to the following figure

email-custom  Rule

• On the Choose Rule Type page, select "Send Claims Using a Custom Rule"
• On the Configure Claim Rule page, configure according to the following figure

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("email"), query = ";mail;{0}", param = c.Value);