With WS-Federation protocol, ADFS passes over the user's login name as an URL parameter called "login_hint". In order for DualShield to understand and map this parameter to the user's login name, we need to add an attribute to the service provider.

Generally speaking, a service provider (SAML or WSFED) will ask the identity provider, i.e. DualShield, to return some specific attributes upon successful user authentication. 

In the DualShield Admin Console, find the Service Provider, e.g. "ADFS". 

In the context menu of the service provider, select "Edit", then click the "Attribute" tab

Click the "Create" button to add a new attribute

Change the "Location" of the attribute to be placed. Normally, it is in the "HTTP Body"

Enter the name of the attribute that the service provider expects, e.g. "email"

Select the "format" of the attribute

Finally, specify the value of the attribute

The value of an attribute can be obtained in one of the following 3 ways

  • Maps to an identity attribute
  • A fixed valued
  • Computed by a script

Typically, an attribute is mapped to an identity attribute, e.g to an AD attribute



Make sure that the option "Get Input" is select

  • No labels