Trying to get all of the groups and nested groups for a user when authentication with ADFS
basically I have a structure like this
- group1 -> subgroup1, subgroup2
- group2 – >subgroup3, subgroup2
- group3 -> subgroup1, subgroup4
if I add Group1 and group3 to my user I would like to get back
- group1
- subgroup1
- subgroup2
- group3
- subgroup4
I have this query
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/role"), query = ";tokenGroups;{0}", param = c.Value);
but it only returns group1, group3
Best Answer
Have you tried:
Create a new rule, choose “Send LDAP Attributes as Claims” Choose Active Directory as the Attribute Store, and choose the LDAP Attribute “Token-Groups – Unqualified Names” and the claim type as “Group”
This should send all groups. Note that your ADFS admin should NOT be allowing you to do a query like this, especially in large environments. Who ever wrote the application may also be a bit annoyed if large datasets are returned (nothing says the app stinks like waiting 5 mins to parse an xml list).