For some background, the steps that I am following are similar to: https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-fs/development/customize-id-token-ad-fs-2016
When connecting to my application, I can see 'nameid', 'upn', and 'unique_name' in the id token but none of the claims as defined in my custom claims rule:
c:[Type == "foo://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("foo://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn", "foo://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "foo://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname", "foo://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname", "Telephone-Number", "Department", "Country", "Description", "foo://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"), query = ";mail,mail,givenName,sn,telephoneNumber,department,c,Description,displayName;{0}", param = c.Value);
Although the user is successfully logged in, I cannot pass along additional claims to help define the user's identity.
Changing or removing this claim rule does not seem to affect the results but removing the issuance authorization rule of permit everyone results in an access denied message so I can deduce that the web application properties are actually in play. Any suggestions?
Did you really intend to have the URI of all those claims types as "foo://"?
Based on what you wrote,
c:[Type == "foo://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("foo://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn", "foo://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "foo://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname", "foo://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname", "Telephone-Number", "Department", "Country", "Description", "foo://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"), query = ";mail,mail,givenName,sn,telephoneNumber,department,c,Description,displayName;{0}", param = c.Value);
all the claims will only be issued if you meet the condition for a foo://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname claim in the pipeline.
I suggest doing something simpler like adding the below custom rule.
=> issue(type = "http://contoso.com/partner", value = "Adatum");
Then see the id_token issued. You should see a custom claim like so along with the other claims.
You can then play around with the claims rule syntax as desired.
http://contoso.com/partner: "Adatum",