...
Note if you have a large AD with many groups, it may be an idea to make a custom extraction of the DAM groups. Then This will prevent the token will not be come to from becoming too large for the website to handle.
It can be done by creating the following two custom rules:
Get Groups from ADcAD
| Code Block |
|---|
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> add(store = "Active Directory", types = ("http://schemas.xmlsoap.org/claims/Group"), query = ";tokenGroups;{0}", param = c.Value); |
Send DAM groups as Claims (remember to update the Regex ^(?i)dam - scheme - .+$ to match your group naming)
| Code Block |
|---|
c:[Type == "http://schemas.xmlsoap.org/claims/Group", Value =~ "^(?i)dam - scheme - .+$"]
=> issue(Type = "http://schemas.xmlsoap.org/claims/Group", Value = c.Value, Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, ValueType = c.ValueType); |
Get the Metadatafederation url for next step. It will most likely be: https://YourADDomain/FederationMetadata/2007-06/FederationMetadata.xml
...