Thanks for getting back to me,
I don't think I explained this very well, apologies. The ADFS SSO login for users accessing the device registration page is working fine - and they use their full username (email address) to login. The problem have is that when you register a device 'sponsor_name' gets automatically populated with the first part of the ADFS username, and sponsor_name is what gets returned in the enforcement profile when a device logs into the IoT MPSK SSID. We want the whole username including the domain to be returned in that enforcement profile.
We have actually found a workaround that seems to work, which is to add the domain on using the enforcement profile, so that just returns:
%{Authorization:[Guest Device Repository]:SponsorName}@<domain>
...as the IETF username. That seems to do the job, but might not be what you'd recommend?
It does bring me on to a related question (I hope you don't mind) - when someone registers a new device the form has an email address field, but really it would be better if we could just autopopulate the email address field with the username that they logged in with. Is that value available to us? I'm assuming it must be available somehow as sponsor_name gets set as the first part of the username, but I can't see how that happens. Do you have any advice?
[UPDATE] I'm just looking at the SAML trace and can see that the 'subject' and 'NameID' are returned here as my username without @domain. Perhaps it is this that ClearPass is picking up and populating the sponsor_name field with? So this is what you meant when you mentioned the IdP could be configured to return a fully qualified username? I could certainly ask the chaps who run the AD if this is possible.
I hope that makes sense?
Thanks
Guy