AD FS Help Claims X-Ray

Claims X-Ray

Use the Claims X-ray service to debug and troubleshoot problems with claims issuance. The service interacts with your AD FS deployment and helps you issue the claims that you need for your applications.

You can choose between different authentication methods and request types, and we will show you all of the claims returned by your federation service. Customize your policies to get just the claims you want.

  • In order to use Claims X-Ray, you must create a relying party trust for the service in your federation deployment. If you want to test oAuth, you'll also need to create the oAuth client. Once you've completed setup, you'll be able to request a token and view the claims inside of it. From there, you can customize the claim rules to whatever you want to test.

    We've provided two different ways to get you setup:

    1. Simple Setup: two copy/paste PowerShell scripts for creating the relying party trust and oAuth client
    2. Relying Party Trust Management: a downloadable PowerShell script that will create both the relying party trust and oAuth client, and also provide you the ability to copy claims between relying party trusts. So once you've tailored your claims on the X-Ray relying party trust, copying it to your real application is only a few clicks.

    In addition, we've also provided an Advanced option for users that want to use the service directly without going through the portal.

    Use the arrow keys to navigate through the pivots and tab to focus on focusable content inside a pivot section
    Simple setup selected
    1. Log into the primary node of your federation service
    2. Launch an elevated PowerShell session
    3. Create the Claims X-Ray relying party trust

    In order to use oAuth with Claims X-Ray, you must create an oAuth client for the service in your federation deployment.

    oAuth functionality is only available on Windows Server 2012 R2 and above, and it requires that your federation service is available on the extranet.

    1. Log into the primary node of your federation service
    2. Launch an elevated PowerShell session
    3. Create the oAuth client
  • In order to perform an x-ray on your claims, we need you to provide us with some information. Once you've made your selections, we will open a new browser tab, redirect to your service, obtain a token, and finally display your claims.

    1. Specify your federation service name
    2. Select the authentication method
    3. Select the token request type

    Note: if you want to force fresh authentication for your request, you need to turn that feature on using the toggle switch below.

    https://

    By clicking on Test Authentication you agree to our Terms of Use and Privacy Agreement.