TechNet
Products
IT Resources
Downloads
Training
Support
Products
Windows
Windows Server
System Center
Microsoft Edge
Office
Office 365
Exchange Server
SQL Server
SharePoint Products
Skype for Business
See all products »
Resources
Channel 9 Video
Evaluation Center
Learning Resources
Microsoft Tech Companion App
Microsoft Technical Communities
Microsoft Virtual Academy
Script Center
Server and Tools Blogs
TechNet Blogs
TechNet Flash Newsletter
TechNet Gallery
TechNet Library
TechNet Magazine
TechNet Wiki
Windows Sysinternals
Virtual Labs
Solutions
Networking
Cloud and Datacenter
Security
Virtualization
Updates
Service Packs
Security Bulletins
Windows Update
Trials
Windows Server 2016
System Center 2016
Windows 10 Enterprise
SQL Server 2016
See all trials »
Related Sites
Microsoft Download Center
Microsoft Evaluation Center
Drivers
Windows Sysinternals
TechNet Gallery
Training
Expert-led, virtual classes
Training Catalog
Class Locator
Microsoft Virtual Academy
Free Windows Server 2012 courses
Free Windows 8 courses
SQL Server training
Microsoft Official Courses On-Demand
Certifications
Certification overview
Special offers
MCSE Cloud Platform and Infrastructure
MCSE: Mobility
MCSE: Data Management and Analytics
MCSE Productivity
Other resources
Microsoft Events
Exam Replay
Born To Learn blog
Find technical communities in your area
Azure training
Official Practice Tests
Support options
For business
For developers
For IT professionals
For technical support
Support offerings
More support
Microsoft Premier Online
TechNet Forums
MSDN Forums
Security Bulletins & Advisories
Not an IT pro?
Microsoft Customer Support
Microsoft Community Forums
Sign in
Home
Library
Wiki
Learn
Gallery
Downloads
Support
Forums
Blogs
Resources For IT Professionals
United States (English)
Россия (Pусский)
中国(简体中文)
Brasil (Português)
Skip to locale bar
Post an article
Translate this page
Powered by
Microsoft® Translator
Wikis - Page Details
First published by
Joji Oshima
(9Microsof)
When:
4 Oct 2012 11:48 AM
Revisions:
1
Comments:
0
Options
Subscribe to Article (RSS)
Share this
Can You Improve This Article?
Positively!
Click Sign In to add the tip, solution, correction or comment that will help other users.
Report inappropriate content using
these instructions
.
Wiki
>
TechNet Articles
>
AD FS 2.0: Domain Local Groups in a claim
AD FS 2.0: Domain Local Groups in a claim
Article
History
AD FS 2.0: Domain Local Groups in a claim
Introduction
The basic method for adding group memberships into claims is using
Send LDAP Attributes as Claims
and picking one of the
tokenGroups
options. This method works for global and universal groups, but will leave out any domain local groups. The primary reason for this is there is no intuitive way to answer which domain to pull these from.
Workaround
Assuming there is only one domain that the users exist in and AD FS exists in the same domain, there is a workaround for this. When choosing
Send LDAP Attributes as Claims
one of the options is Is-Member-of=DL. This will poll the
memberOf
attribute and pull the distinguished name of the groups out. If this format (CN=group,DC=contoso,DC=com) is acceptable, then that is all that needs to be done.
Custom Claim Rules
If the simple name, without the information about the OU is preferred, it can be accomplished with 3 custom claim rules. There will not be 3 sets of claims added to the token as two of the rules will only add claims to the working set. The order of the custom rules is important. It may not function if they are listed out of order in the claim rules window.
Rule 1:
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> add(store = "Active Directory", types = ("http://contoso.com/phase1"), query = ";memberOf;{0}", param = c.Value);
Rule 2:
c:[Type == "http://contoso.com/phase1"]
=> add(Type = "http://contoso.com/phase2", Value = regexreplace(c.Value, ",[^\n]*", ""));
Rule 3:
c:[Type == "http://contoso.com/phase2"]
=> issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/role", Value = regexreplace(c.Value, "^CN=", ""));
Notes:
The types http://contoso.com/phase1 & http://contoso.com/phase2 can be named anything. There is no need to rename these to the actual domain name, but doing so would be fine. The issued claim in rule 3 can be changed to anything as well.
Rule Explainations:
Rule 1: Takes all the information from the
memberOf
attribute and stores it in the phase1 claim set
Rule 2: Takes all the claims in the phase1 claim set, removes everything after the first comma, and stores it in the phase2 claim set
Rule 3: Takes all the claims in the phase2 claim set, removes the leading CN=, then issues the claim as type http://schemas.microsoft.com/ws/2008/06/identity/claims/role
Example: if memberOf contained
CN=group,DC=contoso,DC=com
Rule 1 would add
CN=group,DC=contoso,DC=com
as a phase1 claim
Rule 2 would add
CN=group
as a phase2 claim
Rule 3 would issue
group
as a role claim
AD FS
,
AD FS 2.0
,
adfs
,
ADFS 2.0
,
claim rule language
,
claims
,
CRL
,
domain local
,
groups
[Edit tags]
Leave a Comment
Please add 8 and 5 and type the answer here:
Post
Wiki - Revision Comment List(Revision Comment)
Wikis - Comment List