Cisco CCEIT 500-444 Question # 15 Topic 2 Discussion

 = In order to configure SAML SSO for PCCE, you need to create claim rules that specify the claims sent from ADFS to Cisco Identity Service as part of a successful SAML assertion. The claim rules define how to transform the incoming claims from the AD FS identity provider into the outgoing claims that are expected by the Cisco Identity Service relying party. The two claim rules that are required for PCCE are:

sAMAccountName - Logon names maintained for backward compatibility. This claim rule maps the sAMAccountName attribute from the AD FS identity provider to the uid attribute in the outgoing claim. The uid attribute is used to identify the authenticated user in the claim sent to the applications. The sAMAccountName attribute is the logon name used to support clients and servers from a previous version of Windows1.

E-Mail Address - For the Outgoing claim type. This claim rule maps the E-Mail-Addresses attribute from the AD FS identity provider to the mail attribute in the outgoing claim. The mail attribute is used to provide the email address of the authenticated user in the claim sent to the applications. The E-Mail-Addresses attribute is the primary email address of the user2.

The other options are not valid claim rules for PCCE. The user_principal option is not a valid attribute name in AD FS. The Unspecified option is not a valid claim type in AD FS. The uid option is not a valid attribute name in AD FS, but it is the outgoing claim type that is mapped from the sAMAccountName attribute.

References :=

AD FS 2.0 Setup for SAML SSO Configuration Example

Configure Single Sign-On with CUCM and AD FS 2.0

Checklist - Creating Claim Rules for a Claims Provider Trust

Notes on ADFS as SAML IdP for ISE User Portals