Setup: ADFS 2.0 server configured
Problem: The default rule “Send LDAP attributes as Claims” will add sAMAccountName attribute for every group in Claim token. If group name and sAMAccountName are different, you need custom rules to populate the Claim with group names.
Solution: Create the following two custom rules:
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> add(store = "Active Directory", types = ("http://sAMAccountName_role"), query = ";tokenGroups;{0}", param = c.Value);
c:[Type == "http://sAMAccountName_role"]
=> issue(store = "Active Directory", types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/role"), query = "sAMAccountName={0};name;DOMAIN\AnyUser", param = c.Value);