1

I am trying to create a claim rule to return all usernames in a group when I authenticate to the ADFS server. Currently I have claim rules setup to return the username of the person who logged in, but I am trying to get all usernames in a specific group. Eventually I would like to get usernames and emails, but for now I want to keep it as simple as possible in order to understand what is happening.

I think this will need a custom claim rule, and this far this is what I have:

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "Telephone Number"), query = ";mail,telephoneNumber;{0}", param = c.Value);
user361510
  • 11
  • 1
  • Are you trying to limit the users who can login via ADFS to members of a group? Or do you actually want to pass back a claim for each user that is the identical list of group members of a given group? The latter is how I read your question, but I can't think of why you would want this. – Ryan Bolger Jun 20 '16 at 19:52
  • It sounds like you want this. http://serverfault.com/questions/676916/adfs-restrict-to-ad-group – Ryan Bolger Jun 20 '16 at 19:53

1 Answers1

0

You want "member".

Refer AD FS 2.0: Using RegEx in the Claims Rule Language where there is a similar example using "memberOf".

So have a static rule to set the group into a claim e.g. http://company.com/group as an "add" and use that as input into the "member" claim.

rbrayb
  • 1,098
  • 1
  • 12
  • 20