0

I want my ADFS 2012 R2 to send group-membership from a specific location in Active Directory, how can I do this?

I tried "Send LDAP attributes as claims", Token-Groups - Unqualified Names => Group, but that gives me every group the user is a member of. I only want the groups located in a certain path in AD (for example org/department/applications/demoapplication)

Thomas
  • 355
  • 1
  • 4
  • 17

1 Answers1

0

OOTB, you can't do this.

However, you can write your own custom attribute store where you can access AD directly using the .NET AD API's and get the group memberships you want.

Also, refer How to create a Custom Attribute Store for Active Directory Federation Services 3.0.

rbrayb
  • 46,440
  • 34
  • 114
  • 174
  • 1
    I think it might be possible using a custom claim transformation rule only? See this link: [link](http://blogs.technet.com/b/askds/archive/2013/05/07/ad-fs-2-0-claims-rule-language-part-2.aspx) I didn't try this myself, but I guess you could first get a list of all group-memberships including the path in AD, and then filter it using regular expressions. – Thomas Jun 27 '14 at 08:59
  • Yup - you can using "memberOf" - I actually blogged about this - http://nzpcmad.blogspot.co.nz/2013/06/adfs-problem-with-token.html ! You can't with "Send LDAP attributes as claims" – rbrayb Jun 29 '14 at 03:46