ADFS configuration for access groups

This page explains how to configure a group member with ADFS.

1. Configure DCT to use the following value for the Group Attribute: http://schemas.xmlsoap.org/claims/Group

   

2. In ADFS, create a new Claim rule and select “Send Claims Using a Custom Rule” for the Claim rule template.

   

3. Use the following rule language for the custom rule:

   Copy

   c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
   
    => add(store = "Active Directory", types = ("http://schemas.xmlsoap.org/claims/Group"), query = ";tokenGroups;{0}", param = c.Value);

   1. This rule fetches all groups from Active Directory and stores them in a temporary claim.

4. Complete the wizard, then, create a second custom rule to filter down the list of groups.

5. Use the rule language to filter the groups list, as shown below. This example only retains groups that contain the sub-string dct.

   Copy

   c:[Type == "http://schemas.xmlsoap.org/claims/Group", Value =~ "(?i)dct"] => issue(claim = c);

   And another example only retaining groups which start with the string delphix-dct

   Copy

   c:[Type == "http://schemas.xmlsoap.org/claims/Group", Value =~ "^delphix-dct"] => issue(claim = c);

   See When to Use a Pass Through or Filter Claim Rule for more examples of the ADFS filter rule syntax.

6. Complete the wizard. Upong login to DCT, account federated from ADFS are now tagged with group membership.