AD FS Help Claims X-Ray

Claims X-Ray

Use the Claims X-ray service to debug and troubleshoot problems with claims issuance. The service interacts with your AD FS deployment and helps you issue the claims that you need for your applications.

You can choose between different authentication methods and request types, and we will show you all of the claims returned by your federation service. Customize your policies to get just the claims you want.

In order to use Claims X-Ray, you must create a relying party trust for the service in your federation deployment. If you want to test oAuth, you'll also need to create the oAuth client. Once you've completed setup, you'll be able to request a token and view the claims inside of it. From there, you can customize the claim rules to whatever you want to test.

We've provided two different ways to get you setup:
1. Simple Setup: two copy/paste PowerShell scripts for creating the relying party trust and oAuth client
2. Relying Party Trust Management: a downloadable PowerShell script that will create both the relying party trust and oAuth client, and also provide you the ability to copy claims between relying party trusts. So once you've tailored your claims on the X-Ray relying party trust, copying it to your real application is only a few clicks.
In addition, we've also provided an Advanced option for users that want to use the service directly without going through the portal.
Use the arrow keys to navigate through the pivots and tab to focus on focusable content inside a pivot section

Simple Setup

Relying Party Trust Management

Advanced Usage

Simple setup selected

Log into the primary node of your federation service

Launch an elevated PowerShell session

Create the Claims X-Ray relying party trust

PowerShell

$authzRules = "=>issue(Type = `"http://schemas.microsoft.com/authorization/claims/permit`", Value = `"true`"); " $issuanceRules = "@RuleName = `"Issue all claims`"`nx:[]=>issue(claim = x); " $redirectUrl = "https://adfshelp.microsoft.com/ClaimsXray/TokenResponse" $samlEndpoint = New-AdfsSamlEndpoint -Binding POST -Protocol SAMLAssertionConsumer -Uri $redirectUrl Add-ADFSRelyingPartyTrust -Name "ClaimsXray" -Identifier "urn:microsoft:adfs:claimsxray" -IssuanceAuthorizationRules $authzRules -IssuanceTransformRules $issuanceRules -WSFedEndpoint $redirectUrl -SamlEndpoint $samlEndpoint

In order to use oAuth with Claims X-Ray, you must create an oAuth client for the service in your federation deployment.

oAuth functionality is only available on Windows Server 2012 R2 and above, and it requires that your federation service is available on the extranet.

Log into the primary node of your federation service

Launch an elevated PowerShell session

Create the oAuth client

PowerShell

Add-AdfsClient -Name "ClaimsXrayClient" -ClientId "claimsxrayclient" -RedirectUri https://adfshelp.microsoft.com/ClaimsXray/TokenResponse if ([System.Environment]::OSVersion.Version.major -gt 6) { Grant-AdfsApplicationPermission -ServerRoleIdentifier urn:microsoft:adfs:claimsxray -AllowAllRegisteredClients -ScopeNames "openid","profile" }

Relying party trust management selected

Log into the primary node of your federation service

Launch an elevated PowerShell session

Download the ADFS Help Claims X-Ray Manager script and run it. This will create the relying party trust and oAuth client (if applicable), and provide a dialog for you to manage your relying party trusts. If Claims X-Ray is already deployed to your federation service, we won't change anything.

Use the Claims X-Ray service to create the claims policies needed for you application.

Copy the claims from the Claims X-Ray service to your application.

oAuth functionality is only available on Windows Server 2012 R2 and above, and it requires that your federation service is available on the extranet.

When you launch the script, you'll be shown a dialog where you need to choose:

Whether you want to copy to or from the Claims X-Ray relying party trust.

The source or target relying party trust.

Once you've made your selections, click Apply Changes to copy the claims. We'll also make a backup of the current configuration of your relying party trust for safe keeping. It will be in a log file that is located in the same folder as the PowerShell script.

Advanced usage selected

If your federation service is already setup to use the Claims X-Ray service, you can use it directly from your browser using query string parameters. This way you don't need to specify your options through the portal, just provide the parameters in your browser and go.

Query string parameters (bold denotes default value):

sts: federation service name

auth: authentication type [ default | forms | wia | cert | mfa ]

type: request type [ oauth | samlp | wsfed ]

fresh: force fresh authentication [ true | false ]

Federation service is the only required field for automatic redirection.

Example:
https://adfshelp.microsoft.com/ClaimsXray/TokenRequest?sts=federation.contoso.com&auth=forms&type=samlp&fresh=true
In order to perform an x-ray on your claims, we need you to provide us with some information. Once you've made your selections, we will open a new browser tab, redirect to your service, obtain a token, and finally display your claims.
1. Specify your federation service name
2. Select the authentication method
3. Select the token request type
Note: if you want to force fresh authentication for your request, you need to turn that feature on using the toggle switch below.
Federation instance

https://

Authentication type

Default Policy Forms Windows Integrated Authentication Certificate Multifactor Authentication

Token request

oAuth SAML-P (SAML 2.0) WS-FED (SAML 1.1)

By clicking on Test Authentication you agree to our Terms of Use and Privacy Agreement.