0

I created custome ADFS claim rule base on group membership with global security groups. And its working smoothly, but wee need to add users from different forest which trusted with us. So, converted global group to Domain local group so that we can add user from different forest but somehow its not working, only Global group is working not Domain local, even if user is from same domain. Can someone help me to get the proper solution or Domain Local group not supported by ADFS if we used for claim attributes.

Current setup with our Global Group is given below (working) Send Token group:-

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => add(store = "Active Directory", types = ("corporate_groups"), query = ";tokenGroups;{0}", param = c.Value);

Get Token group:-

c:[Type == "corporate_groups", Value =~ ".APP_Test."] => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/group", Value = c.Value);

Note: If I go through this link is not working for cross forest trust user. https://social.technet.microsoft.com/wiki/contents/articles/13829.ad-fs-2-0-domain-local-groups-in-a-claim.aspx

MD JAHANGIR ALAM
  • 1
  • 4

1 Answers1

0

• You can surely create a rule to send a group membership as a claim on a relying party trust in ADFS on a Windows Server. But for that, you need to make sure that the user ID through which you are going to login onto the ADFS server should be a member of the Domain administrators or the local system administrators’ group. Also, you can do this by following the documentation link below. It states that you can create a rule template for sending group membership as a claim through the ADFS Server Management snap-in itself.

https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/create-a-rule-to-send-group-membership-as-a-claim#to-create-a-rule-to-send-group-membership-as-a-claim-on-a-relying-party-trust-in-windows-server-2016

• If you follow the above document for creating rules based on template, it should get you working. Also, ensure to refer and follow the documentation below on when you should use a Group Membership as a claim rule: -

https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/ff678036(v=ws.11)

Kartik Bhiwapurkar
  • 4,550
  • 2
  • 4
  • 9