Denmark +45 7944 7000
Europe +45 7944 7000
North America +1 (202)-536-4165
Denmark +45 7944 7002
North America +1 (202)-536-4165
Start a conversation

Resolving Email/UPN Mismatches for ADFS SSO with Claim Mapping


This article provides step-by-step instructions on how to add claim to retrieve all email addresses if there are users who have User Principal Name different from SMTP address in the system.

How to add claim to retrieve all email addresses

Option 1: Add claim as LDAP attributes

1. In AD FS manager, choose “Claim Description” then click “Add Claim Description…”:

2. In the pop-up window, enter Name and Claim Type for new Claim Descriptions

3. Go back to Application Groups folder:

Right click on Application Groups we created, select “Properties”. In properties window, click “Web Api Application”, then click [Edit].

4. In the next screen, select “Issuance Transform Rules” tab, then click “Add Rule…” button.

5. In the next screen, select “Send LDAP Attribute as Claims” then click [Next].

6. In the next screen, set up Claim Rule as shown in the following figure:

  • In “Attribute store” field: select “Active Directory”.
  • In “LDAP Attributes” column: add Proxy-Addresses attribute.
  • In “Outgoing Claim Type” column: select the claim rule created in step 2.

Then click [Finish] and [Save] configuration.

Option 2: Add Claim by custom rule

NOTE: Step 1 to 4 of this option are similar to those of Option 1. Refer to Option 1 then continue with step 5.

5. In the next screen, select “Send Claim Using a Custom Rule” then click [Next]:

 6. In the next screen, fill in Custom rule name and setting rule:

The custom rule should be entered with the following text:

c:[Type == "", Issuer == "AD AUTHORITY"]
 => issue(store = "Active Directory", types = ("verified_secondary_email"), query = ";proxyAddresses;{0}", param = c.Value);

Then click [Finish] and [Save].


Applies toRC 4.2+

Reference: TFS #339238

Knowledge base ID: 0323

Last updated: Apr 19, 2023

Choose files or drag and drop files