Microsoft AD FS 3 and 4 - Required claims

In this article, claim rules examples for enabling/disabling MFA are shown. I can’t find anywhere that lists what claims the Duo application expects and where to set those up, though. I’m not using Active Directory as my identity provider, so I need to set these up manually.

Does anyone know what claims I need to set up and where? UPN/sAMAccountName and Acceptance Transform Rules for my Claims Provider Trust? Or the Issuance Transform Rules for my Relying Party Trust?

Hi redscout88,

Have you seen our guide to configuration for Duo with AD FS 3? You may find the answers you’re looking for there. If you still have questions after reading it, then let me know what additional info you’re looking for and I’ll be happy to help further.

That still just seems to cover enabling/disabling MFA based on a set of claims. I have no problem with making MFA required, but I always an error message when ADFS takes me to the MFA page and it tries to load the Duo content.

I’m trying to figure out which properties Duo expects in order to load without error during ADFS sign in. I assume that’s some kind of identifier like UPN/SAM Account Name based on the install instructions, but I can’t figure out where that needs to be made available to Duo.


As far as the usernames that get sent to Duo we default to sAMAccountName. In version and higher there is the option to use UPN as the account name, which is documented here.

If you’re uncertain what username is being sent today, you can enable debug logging and see what is reported there.

I double checked my registry, and I have it set up to use UPN. Where does Duo get that from, though? I have a UPN claim set up on both my claims provider and relying party.

Also, I enabled debug logging in the registry and restarted ADFS, but I don’t see a Duo folder in my Windows Event Logs. What should the log be called? Just “Duo” or something?

I figured out that the undocumented required setup is an ADFS anchor claim matching the claim type being used by Duo.

Now I’ve got it working through the push notification, but still need to resolve a “SessionSecurityToken does not contain a single AnchorID claim” error occurring immediately after Duo auth before I can say this will work for us.