We're in a bit a pickle here.
We've set up a relying trust party for a third-party application, that requires the following claims rules:
SAM-Account-Name -> Given Name (this will be used for the username in the third-party application)
Given-Name -> Name ID
That all works well, but we're going to add external people now. The requirements are that the externals should use their email address as username, and that's giving us some issues.
We can't use an email address in the SAM-Account-Name due to pre-Windows 2000 ugliness. So we're not doing that. I've set up Alternate login for AD FS, using the mail attribute, and added a third claims rule:
Mail -> Given Name
Now, I wasn't expecting it to work, and of course it didn't.
I was thinking it might make more sense to create a custom rule, where I could use some logic to determine if the user's group is "External" (or something similar), and if so, send the Mail attribute as Given Name, instead of the SAM-Account-Name for internal users.
Would that work in the described scenario? And more importantly, if so, can anyone give me some pointers?
Thanks!
