Setup in AD FS ADFS
Open AD FS ADFS management tool and go to Relying Party Trust
...
(Optional - only if Group sync is needed) Groupsid (Token-Groups as SIDs)
Note if you have a large AD with many groups, it may be an idea to make a custom extraction of the DAM groups. Then the token will not be come to large for the website to handle.
It can be done by creating the following two custom rules:
Get Groups from ADc
| Code Block |
|---|
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> add(store = "Active Directory", types = ("http://schemas.xmlsoap.org/claims/Group"), query = ";tokenGroups;{0}", param = c.Value); |
Send DAM groups as Claims (remember to update the Regex ^(?i)dam - scheme - .+$ to match your group naming)
| Code Block |
|---|
c:[Type == "http://schemas.xmlsoap.org/claims/Group", Value =~ "^(?i)dam - scheme - .+$"]
=> issue(Type = "http://schemas.xmlsoap.org/claims/Group", Value = c.Value, Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, ValueType = c.ValueType); |
Get the Metadatafederation url for next step. It will most likely be: https://YourADDomain/FederationMetadata/2007-06/FederationMetadata.xml
...