2

Trying to get all of the groups and nested groups for a user when authentication with ADFS

basically I have a structure like this

  • group1 -> subgroup1, subgroup2
  • group2 - >subgroup3, subgroup2
  • group3 -> subgroup1, subgroup4

if I add Group1 and group3 to my user I would like to get back

  • group1
  • subgroup1
  • subgroup2
  • group3
  • subgroup4

I have this query

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/role"), query = ";tokenGroups;{0}", param = c.Value);

but it only returns group1, group3

Improve this question

1 Answer 1

Reset to default
4

Have you tried:

Create a new rule, choose “Send LDAP Attributes as Claims” Choose Active Directory as the Attribute Store, and choose the LDAP Attribute “Token-Groups – Unqualified Names” and the claim type as “Group”

This should send all groups. Note that your ADFS admin should NOT be allowing you to do a query like this, especially in large environments. Who ever wrote the application may also be a bit annoyed if large datasets are returned (nothing says the app stinks like waiting 5 mins to parse an xml list).

Improve this answer
5
  • In this case I'm the developer, who is trying to figure out how to be the admin. Commented Aug 11, 2015 at 15:10
  • 1
    looks like I added the groups wrong in AD, if I switch them around I get the results I was expecting, and this is what you get when you make developers into AD admins Commented Aug 11, 2015 at 18:14
  • You should be specific in the group you are looking for rather than returning all groups, aside from security and performance issues on the server, a large number of groups returned could cause your app to crawl. Commented Aug 11, 2015 at 18:25
  • If the users where a little different that would be correct, the users I'm working with are for specific use and are only going to have 10 groups max, so best practice would be to filter them down, in this case its adding unnecessary complexity Commented Aug 11, 2015 at 18:57
  • Only 10 groups max is a pipe dream in almost all environments. Search for "group sprawl). I've seen orgs with 100 people and 300 groups. Its not simply best practice, it will simplify everything, since you won't be filtering anything, just look for the group and return true. Commented Aug 11, 2015 at 19:13

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.