ADFS Claim to Flatten Groups and Return full DN

active-directoryadfs

Is there way to create a claim that will the return the DN of all groups and super-groups a user is a MemberOf?

Currently running Windows 2012 R2 ADFS.

Example:

I have a structure of groups like the following.

GrandparentGroup
ParentGroupA (memberOf=GrandparentGroup)
ParentGroupB (memberOf=GrandparentGroup)
GroupA (memberOf=ParentGroupA)
GroupB (memberOf=ParentGroupA)
GroupC (memberOf=ParentGroupB)
GroupD (memberOf=ParentGroupB)
UserA (memberOf=GroupA)
UserB (memberOf=GroupA, memberOf=GroupB)

I want to return the full-DNs of GroupA, ParentGroupA, and GrandparentGroup when UserA logs in.

If building a claim is not possible are there other was to handle this scenario with ADFS?

Best Answer

The answer to this question was answered on another forum.

The LDAP filter to list all groups (included nested groups) of a user is:

(member:1.2.840.113556.1.4.1941:=
So for example: (member:1.2.840.113556.1.4.1941:=CN=Alice,OU=Accounts,DC=contoso,DC=com)

Now how does it translate into a claim rule and ultimately a claim... First of all, I create 2 claim definitions. One called UserDN with the id http://contoso.com/myclaims/UserDN and MemberOfDN with the id http://contoso.com/myclaims/MemberOfDN. You guessed that the first one will receive the DN of the user and the second all the DN of al members the user is a member of.

Full write up can be found here: answer.

Best Answer

Related Solutions

2 Domains – 1 ADFS – 1 SharePoint – 1 Authentication way

AD FS 3.0 Event ID 364 while creating MFA (and SSO)

Related Topic