When you are configuring the claims rules in ADFS, you have a number of options for sending AD groups.
You can send them all at once – “Send LDAP Attributes as Claims” or you can send then individually – “Send Group Membership as a Claim”.
In the latter case, you get to “clean” the name up.
e.g. you can have a group called “TN-W2008-Test-Marketing-Editor” because of some company naming convention but you can configure the claim to be of type:
http//schemas.microsoft.com/ws/2008/06/identity/claims/role with a value of “MarketingEditor”.
The downside with this is that if the groups are deleted or renamed, you have to manually reconfigure ADFS.
For the former, ADFS simply sends the whole lot. If a group is renamed, it simply sends the new name.
There are a number of options for the groups i.e.
Token-Groups as SIDs
Token-Groups - Qualified by Domain Name
Token-Groups - Qualified by Long Domain Name
Token-Groups - Unqualified Names
If you gave a group called Editor with a SID of S-1-5-21-3794324387-748717723-962058466-1466 and a domain of company.com (and assuming you map them all to a type of “role”) then the four different types result in:
…identity/claims/role = S-1-5-21-3794324387-748717723-962058466-1466
…identity/claims/role = company\Editor
…identity/claims/role = company.com\Editor
…identity/claims/role = Editor
Note that you get a role claim per group. If the user is a memberof 6 groups, they will get six separate claims of type “role”. This includes the default claim of “Domain Users”.