Setup: ADFS 2.0 server configured

Problem: The default rule “Send LDAP attributes as Claims” will add sAMAccountName attribute for every group in Claim token. If group name and sAMAccountName are different, you need custom rules to populate the Claim with group names.

Solution: Create the following two custom rules:


c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
 => add(store = "Active Directory", types = ("http://sAMAccountName_role"), query = ";tokenGroups;{0}", param = c.Value);


c:[Type == "http://sAMAccountName_role"]
 => issue(store = "Active Directory", types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/role"), query = "sAMAccountName={0};name;DOMAIN\AnyUser", param = c.Value);

Tagged:

Leave a Reply

Your email address will not be published. Required fields are marked *