Using Claims X-Ray to investigate ADFS Claim issues

When it comes to investigating claims sent by ADFS to federated applications there are many methods available. My favorite however is the Claims X-Ray service offered by Microsoft.

Essentially Claims X-Ray creates a new Relying Party Trust in your ADFS environment. I usually copy the claims for the application I’m working on to the Claims X-Ray trust and trigger the login from the Claims X-Ray page.

Setting up Claims X-Ray

  1. Go to https://adfshelp.microsoft.com/ClaimsXray/TokenRequest and grab the PowerShell code from the section “Create the Claims X-Ray relying party trust”.
  2. Run the script in a elevated PowerShell prompt on your primary ADFS server.
  3. If using OAuth repeat the steps with the code from the section “Create the oAuth client”

Adding the claims

While you could add claims manually I usually copy the claim rules from an existing Relying Party Trust. For this I use a handy PowerShell function from the TechNet script center by Marius Solbakken Mellum.

  1. Grab the script here and copy it to your primary ADFS server.
  2. From an elevated PowerShell prompt run the script to import the function.
  3. From the same PowerShell prompt run the following command:
Copy-ADFSClaimRules -SourceRelyingPartyTrustName "<Soruce>" -DestinationRelyingPartyTrustName "Claims X-Ray"

Don’t forget to go back to the TechNet script center and give the script five stars!

Testing

Now we can actually perform a login using the Relaying Party Trust created.

  1. Go back to https://adfshelp.microsoft.com/ClaimsXray/TokenRequest and hit Next.
  2. In “Federation instance” enter the URL of your ADFS farm / server.
  3. Select your “Authentication type” and “Token request”-type.
  4. Click “Test Authentication”
  5. Enjoy your claims, make changes and repeat the process until you get the magic right!
A somewhat censored example of results returned by Claims X-Ray.

Leave a Reply

Your email address will not be published.