Thursday, June 21, 2012

ADFS : Sending groups as claims

 

When you are configuring the claims rules in ADFS, you have a number of options for sending AD groups.

You can send them all at once – “Send LDAP Attributes as Claims” or you can send then individually – “Send Group Membership as a Claim”.

In the latter case, you get to “clean” the name up.

e.g. you can have a group called “TN-W2008-Test-Marketing-Editor” because of some company naming convention but you can configure the claim to be of type:

http//schemas.microsoft.com/ws/2008/06/identity/claims/role with a value of “MarketingEditor”.

The downside with this is that if the groups are deleted or renamed, you have to manually reconfigure ADFS.

For the former, ADFS simply sends the whole lot. If a group is renamed, it simply sends the new name.

There are a number of options for the groups i.e.

Token-Groups as SIDs

Token-Groups - Qualified by Domain Name

Token-Groups - Qualified by Long Domain Name

Token-Groups - Unqualified Names

If you gave a group called Editor with a SID of S-1-5-21-3794324387-748717723-962058466-1466 and a domain of company.com (and assuming you map them all to a type of “role”) then the four different types result in:

…identity/claims/role = S-1-5-21-3794324387-748717723-962058466-1466

…identity/claims/role = company\Editor

…identity/claims/role = company.com\Editor

…identity/claims/role = Editor

Note that you get a role claim per group. If the user is a memberof 6 groups, they will get six separate claims of type “role”. This includes the default claim of “Domain Users”.

Enjoy!

6 comments:

Jeff said...

I'm not seeing 6 different role claims like your blog indicates, I see one claim attribute with multiple attributevalues. Here is a trace from fiddler

Domain AdminsDomain UsersSchema AdminsEnterprise AdminsGroup Policy Creator OwnersAll_Employees

nzpcmad said...

Are you sseing this on the wire or is this after you enumerate the claims via the WIF classes?

I'm talking about the WIF enumeration.

Anonymous said...

in case if we wanted all in one...how can we concatenate all of them? IS there any way i need it.

nzpcmad said...

Not that I'm aware of. Claims are supposed to be a name / value pair.

You could concatenate them on the client side though usig WIF.

Unknown said...

Does the rule apply to all group scopes (Global and domain local)? Think its only global..If so how do you get all groups?

//Andrew

Unknown said...

Does the rule apply to all group scopes (global, domain local etc.). Think its only global.
How do you get round that?

//Andrew