Share via

AD FS 2.0: Selectively send group membership(s) as a claim

  • Article

You can send group membership as claims by using the built in templates

  • Create a new rule, choose “Send LDAP Attributes as Claims”
  • Choose Active Directory as the Attribute Store, and choose the LDAP Attribute “Token-Groups – Unqualified Names” and the claim type as “Group”
  • This will send *ALL* group membership information as claims. 

If you do not want to send all of them, you can send a subset of them by creating two separate custom rules.

**First Rule:
**
The first rule gathers all group membership, and adds them to the incoming claim set. This allows the next rule to parse through them, and only pull ones that you want. The order is important, so make sure the first rule is executed before the second one.

Syntax:

 c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> add(store = "Active Directory", types = ("http://schemas.xmlsoap.org/claims/Group"), query = ";memberOf;{0}", param = c.Value);

Second Rule: 

The second rule parses through all the group claims, and issues (sends) the ones that match the specific values you want: for example, ones that start with “ADFS”

Syntax:

c:[Type == "http://schemas.xmlsoap.org/claims/Group", Value =~ "(?i)adfs"]
=> issue(claim = c);

Additional Option for the Second Rule:
Some detail regarding another option for the second rule - With the example below, you can use additional group attributes (info=Role, in this case) to select which of the users groups become role claims.  Note that the 'info' attribute is displayed in the AD console as 'Notes', so the administrator can put the word 'Role' into the notes field of a group and it will be automatically made into a role claim for any users that are direct members of that group.  Indirect membership in the group (via group nesting) will not work with this example (which I happen to like for role claims).  This example still requires the first rule, as described above.

c1:[Type == "http://schemas.xmlsoap.org/claims/Group"]
 && c2:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
 => issue(store = "Active Directory", types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/role"), query = "(&(distinguishedName={0})(info=Role));name;{1}", param = c1.Value, param = c2.Value);