I have an asp.net web app that uses ADFS to authenticate users. The ADFS server is configured to issue claims to the web app once it determines that the user is a valid member of an AD domain.
What I want to do is deploy a module on the ADFS server that is invoked after the basic claims are issued. The module would then query an alternate DB (say SQL), retrieve some information about the user based on the claims that have already been issued, and inject that information as one or more claims/assertions into the SAML token that is sent back to the web server.
I have tried implementing a custom authentication adapter on the ADFS server, but that is geared towards MFA and will only return a single additional claim that asserts that some form of MFA was used.
Absolutely.
You need a custom attribute store. This runs the SQL and then you add a claims rules deriving from the custom store.
Refer: AD FS 2.0 Attribute Store Overview and How to create a Custom Attribute Store for Active Directory Federation Services 3.0.