When it comes to investigating claims sent by ADFS to federated applications there are many methods available. My favorite however is the Claims X-Ray service offered by Microsoft.
Essentially Claims X-Ray creates a new Relying Party Trust in your ADFS environment. I usually copy the claims for the application I’m working on to the Claims X-Ray trust and trigger the login from the Claims X-Ray page.
Setting up Claims X-Ray
- Go to https://adfshelp.microsoft.com/ClaimsXray/TokenRequest and grab the PowerShell code from the section “Create the Claims X-Ray relying party trust”.
- Run the script in a elevated PowerShell prompt on your primary ADFS server.
- If using OAuth repeat the steps with the code from the section “Create the oAuth client”
Adding the claims
While you could add claims manually I usually copy the claim rules from an existing Relying Party Trust. For this I use a handy PowerShell function from the TechNet script center by Marius Solbakken Mellum.
- Grab the script here and copy it to your primary ADFS server.
- From an elevated PowerShell prompt run the script to import the function.
- From the same PowerShell prompt run the following command:
Copy-ADFSClaimRules -SourceRelyingPartyTrustName "<Soruce>" -DestinationRelyingPartyTrustName "Claims X-Ray"
Don’t forget to go back to the TechNet script center and give the script five stars!
Testing
Now we can actually perform a login using the Relaying Party Trust created.
- Go back to https://adfshelp.microsoft.com/ClaimsXray/TokenRequest and hit Next.
- In “Federation instance” enter the URL of your ADFS farm / server.
- Select your “Authentication type” and “Token request”-type.
- Click “Test Authentication”
- Enjoy your claims, make changes and repeat the process until you get the magic right!
