ADFS has this clever feature where if you select this mapping in the claims rules and map it to Roles, you will get a set of roles claims that contain all the groups for the authenticated user e.g.
That’s well and good when the groups are “flat” i.e. the groups are not memberOf other groups.
If they are, then this mapping will work it’s way up the hierarchy and display ALL the groups.
So if Joe is a memberOf Role1 and if Role1 is a memberOf Role2, then ADFS will construct:
Now that’s fine if that’s what you want but if Joe has 20 roles and all these roles are at the bottom of a whole pile of other roles you end up with many, many claims and a complete mess!
So what to do if you only want the bottom layer i.e. the actual memberOf.
If you go have a look via ADUC, guess what? memberOf is not displayed as an attribute!
To see it as an attribute in the attribute list, you need to click the “Filter” box (bottom right) in “Attribute Editor” and then select “Backlinks”.
OK – so what if we set up a claims rule mapping memberOf to Roles?
So we type memberOf into the LDAP attribute field (it is actually editable) and note that it displays as “Is-Member-Of-DL”.
What we get back is the whole CN e.g.
when what we got before was just Role1.
Enter stage left Joji Oshima. He da man!
and have a look at “Problem 1” which is exactly the scenario described above.