Server 2016 - ADF/Webapplication Proxy - Pass Basic Authentication without Realm to Backend server

Question

Hi i got a Problem with ADFS/WAP

I publish a Webservice with Basic Authentication over ADFS/WAP

My backend Webservice requires that the Basic Authentication getting passed without REALM like:

<Username>:<Password>

But with ADFS/WAP Implementation you need Always add a REALM so the ADFS can authenticate

ADFS/WAP Request from External to pass authentication: <USERNAME>@<REALM>:<PASSWORD>

But my Backend Service requires <USERNAME>:<PASSWORD>

What i want to achive is that the Webapplication Proxy Accepts

<USERNAME>:<PASSWORD>

and Validate it agains Default Domain and then Pass

<USERNAME>:<PASSWORD>

to the backend service.

Anyone got the same Problem?

Is it possible to fix this with an ADFS Rule?

Thanks in Advance for your Time.

Answer 1

your business objective can be achieved by authoring an ADFS Claim (or custom) rule to strip the "@" element from the inbound claim. https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/technical-reference/the-role-of-claim-rules includes useful guidance on how to write a claim rule using default claim template. For your case, I would recommend using the "Transform an Incoming Claim" template. details below.

Using claim rule templates Claim rule templates are only used during the claim rule creation process. You can use any of the following templates to create a claim rule:

Pass Through or Filter an Incoming Claim Transform an Incoming Claim Send LDAP Attributes as Claims Send Group Membership as a Claim Send Claims Using a Custom Rule Permit or Deny Users Based on an Incoming Claim Permit All Users + For more information describing each of these claim rule templates, see https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/technical-reference/determine-the-type-of-claim-rule-template-to-use.