Add Required Attribute UID in ADFS Server Manually

Available Languages

Download Options

  • PDF     (244.3 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (316.6 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (206.4 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:May 6, 2025
Document ID:222997

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how to manually add an Attribute UID in ADFS relying party trust using a syntex.

    Prerequisites

    Requirements

    • ADFS server
    • Control Hub

    Components Used

    • ADFS server
    • Cisco Webex Control Hub
    • On-Prem AD

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Configure

    This is something that is useful in case there is an issue adding an Attribute Claim in ADFS due to an existing attribute.

    Scenario 1

    You have an existing relying party trust which has a Claim rule created with attribute named UID or Uid.

    This fails the Authentication since Webex (SP) is case sensitive about the required attribute and it has to be uid and must pass the emailAddress of the user in SAML response.

    Scenario 2

    You have a party trust which has a Claim rule passing an attribute named uid  but associated with different attribute in AD than what is needed (emailAddress/UserPrincipleName). This creates issues.

    Configurations

    In an ideal configuration as per the Cisco Webex Guide, ADFS configuration must look like this:

    Configurations

    ADFS Admins can visit this from their Relying Party Trusts-> Trust they created for Webex -> Edit Claim Issuance Policy -> Edit Rule -> Attributes -> View Rule Language.

    The rule language in plain text is:

    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
    => issue(store = "Active Directory", types = ("uid"), query = ";userPrincipalName;{0}", param = c.Value);

    Since the configuration does not display properly, manually create this rule by using the plain text of the rule language.

    Add a Custom Claim Rule in the ADFS Server under Webex Relying Party Trust

    Steps to Create This Rule

    1. In the main ADFS pane, select the trust relationship that you created, and then select Edit Claim Rules. Under the Issuance Transform Rules tab, select Add Rule.
    2. Select Send Claims Using a Custom Rule, and then select Next.
    3. Copy the rule from your text editor (starting at c:) and paste it in to the custom rule box on your ADFS server.

    This must look like this:

    Create RuleSSO

    Once this is done you can test SSO from the Control Hub and that must work as expected.

    Revision History

    Revision Publish Date Comments
    1.0
    06-May-2025
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Karan Kumar Mishra
      Technical Consulting Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products