Imitate Azure AD user/tenant claims within ADFS

Question

I have a .Net web application that allows users to hook up their account with an identity provider (Azure AD, Google, and/or ADFS) to allow single sign-on.

On hooking up their account (or "on-boarding", whatever...), each provider should return the following values:

1. User Unique Id (a constant ID value on the tenant that never changes for the user (e.g. if their name changes, the value is still constant)
2. Tenant Unique Id As people use the application from multiple customer bases, I need to store an identifying value for each client's ID provider/tenant
3. User Name A friendly name for the user (e.g. email address) that can be used to show them their 'name' on the provider (e.g. this is your email if using Google or Azure AD)

I've achieved this so far in Azure AD and Google, but am struggling with ADFS. As I don't have a live ADFS server, I'm using a VM to see how the above might be set up as claims.

Is it possible in ADFS to set up a relying party, then create three claims to populate the above?

On working through the ADFS claim rules dialog, I assumed that the following might work, but lack experience to know whether it is valid:

1. Name ID - Persistent Identifier
2. Unsure - perhaps create a claim manually with value "CompanyABC_Tenant123"
3. UPN

Can no.2 above be done. Or, is there a better way altogether to achieve what I need? I note that if using Azure AD Access Control, then the above three items get populated automatically, but assume the ID's created in the cloud rather than on-premise.

Answer 1

For the first, use objectGUID - refer : ADFS : objectGUID as a claim .

For the second, there may be multiple domains and within a domain multiple ADFS farms and within a farm multiple ADFS instances. So ideally a static claim something like:

domain / farm / machine name

But the claims rules are the same across the farm so :

domain / farm

For the third, yes use UPN.