Share via

AD FS 2.0: Domain Local Groups in a claim

  • Article

Introduction

The basic method for adding group memberships into claims is using Send LDAP Attributes as Claims and picking one of the tokenGroups options.  This method works for global and universal groups but will leave out any domain local groups.  The primary reason for this is there is no intuitive way to answer which domain to pull these from.

Workaround

Assuming there is only one domain that the users exist in an AD FS exists in the same domain, there is a workaround for this.  When choosing to Send LDAP Attributes as Claims one of the options is Is-Member-of=DL.  This will poll the memberOf attribute and pull the distinguished name of the groups out. If this format (CN=group,DC=contoso,DC=com) is acceptable, then that is all that needs to be done.

Note: memberOf attribute will only return direct membership and not nested group membership.
Comparison: tokenGroup vs memberOf

Custom Claim Rules

If the simple name, without the information about the OU is preferred, it can be accomplished with 3 custom claim rules.  There will not be 3 sets of claims added to the token as two of the rules will only add claims to the working set.  The order of the custom rules is important.  It may not function if they are listed out of order in the claim rules window.

Rule 1: 
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]

=> add(store = "Active Directory", types = ("http://contoso.com/phase1"), query = ";memberOf;{0}", param = c.Value);
Rule 2:
c:[Type == "http://contoso.com/phase1"]

=> add(Type = "http://contoso.com/phase2", Value = regexreplace(c.Value, ",[^\n]*", ""));
Rule 3:
c:[Type == "http://contoso.com/phase2"]

=> issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/role", Value = regexreplace(c.Value, "^CN=", ""));

Notes:
The types http://contoso.com/phase1 & http://contoso.com/phase2 can be named anything.  There is no need to rename these to the actual domain name, but doing so would be fine.  The issued claim in rule 3 can be changed to anything as well.

Rule Explanations:

  • Rule 1: Takes all the information from the memberOf attribute and stores it in the phase1 claim set
  • Rule 2: Takes all the claims in the phase1 claim set, removes everything after the first comma, and stores it in the phase2 claim set
  • Rule 3: Takes all the claims in the phase2 claim set, removes the leading CN=, then issues the claim as type http://schemas.microsoft.com/ws/2008/06/identity/claims/role

Example: if memberOf contained CN=group,DC=contoso,DC=com

  • Rule 1 would add CN=group,DC=contoso,DC=com as a phase1 claim
  • Rule 2 would add CN=group as a phase2 claim
  • Rule 3 would issue group as a role claim