I copy claims rules over all the time as per my earlier post.
So I did this and it wouldn't work.
Much head scratching and then I realised that one of the claims rules was a "Send Group Membership as a Claim".
If you look at this type of rule, it looks like:
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value == "S-1-5-21-965288371-...-1106", Issuer == "AD AUTHORITY"]
=> issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/role", Value = "Admin", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, ValueType = c.ValueType);
Notice that it has a SID and (of course) this SID is relevant to that instance of AD only.
The same group name in a different AD will have a different SID value.
So, beware, you can't just copy these types of rules over!
Enjoy!
No comments:
Post a Comment