ADFS configuration: Can I configure ADFS to serve a claim containing URL to a user's profile picture?

Question

I am building a SAAS application which needs to have SSO with a client's ADFS server. Is it possible to get a URL to a user's AD profile picture to show up as a claim in the SAML token, so I can display it in my app?

Answer 1

Yes, but the URL needs to come from some store, e.g AD itself or a SQL database. You can add a claims rule that adds it to the token.

Answer 2

You can pass the AD profile picture as a claim to your RP application. You can then save off the profile picture in your RP application database and serve it from there.

To do that, just select thumbnailPhoto or jpegPhoto (whichever attribute you use in AD to store the photo) as an attribute to pass in the "Pass LDAP Attributes as Claims" rule.

One thing that you'll want to do on the RP side is to immediately save off the picture claim to the RP database, then remove the claim from the claim set. Do this as soon as the token is received, otherwise the picture claim will be persisted to the RP session cookie which will bloat it quite a lot.