ADFS. Third Party True Claim Rule needed to return `domain\user`

Solution 1:

If anyone runs into this issue. You need two rules.

Rule #1: sAMAccountName to temp This tells ADFS to look in ActiveDirectory and return any accounts where the UPN or Email address matches. Then the rule stores the value into a temporary variable which we'll use in the next rule.

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] == "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"]
 => issue(store = "Active Directory", types = ("claims:temp/attribute1"), query = "(&(objectCategory=person)(objectClass=user)(|(userPrincipalName={0})(mail={0})));sAMAccountName;contoso\adfs_service_account", param = c.Value);

NB. The contoso\adfs_service_account is important. ADFS needs this to auto-discover a Domain Controller. Use ANY AD account, just so long as it is a real account.

Rule #2: temp to WindowsAccountName The above rule only returns the sAMAccountName, not the domain. In my case I only had one domain. As such, I hardcoded it below.

c:[Type == "claims:temp/attribute1"] => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer = "AD AUTHORITY", OriginalIssuer = "https://contoso.verify.ibm.com/saml/sps/saml20ip/saml20", Value = "contoso\" + c.Value);