Map an Organization Group Claim to an AD LDS Attribute and Value (Group Claim Extraction)
Applies To: Windows Server 2008
When you use Active Directory Lightweight Directory Services (AD LDS) as the Active Directory Federation Services (AD FS) account store for a Federation Service, an organization group claim maps to a Lightweight Directory Access Protocol (LDAP) attribute and value of the user account in AD LDS. This mapping is called a group claim extraction. For example, suppose that the organization group claim Manager is mapped to the AD LDS user account attribute memberOf and the value CN=ADLDSTestGroup,CN=Users,DC=adatum,DC=com. In this case, if the AD LDS store user account for the logged-on user has the memberOf attribute and that attribute has a value of CN=ADLDSTestGroup,CN=Users,DC=adatum,DC=com, the organization group claim Manager is generated for the user. If both the memberOf attribute and the corresponding value that is specified in the group claim extraction are not present on the user account, the organization group claim is not generated.
Membership in Administrators, or equivalent, on the local computer is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).
To map an organization group claim to an AD LDS attribute and value
Click Start, point to Administrative Tools, and then click Active Directory Federation Services.
Double-click Federation Service, double-click Trust Policy, double-click My Organization, double-click Account Stores, right-click AD LDS, point to New, and then click Group Claim Extraction.
In the Create a New Group Claim Extraction dialog box, in Attribute and Value, type the LDAP attribute and its value, respectively.
In Map to this Organization Claim, select the organization group claim to map to the AD LDS attribute and value, and then click OK.