Sending Group Membership as a Claim

Applies To: Active Directory Federation Services (AD FS) 2.0, Windows Server 2012

Using the Send Group Membership as a Claim rule template, you can send a specified claim type and value when a user is a member of an Active Directory security group. When you use this rule, only a single claim is sent, based on the Active Directory group that you select.

For example, you can use this rule template to create a rule that will send a group claim with a value of "Admin" if the user is a member of the Domain Admins security group. Administrators should use this rule type in the acceptance transform rules of a claims provider trust only if Group security identifiers (SIDs) are being received from the claims provider, which is very uncommon for any claims providers except Active Directory or Active Directory Domain Services (AD DS). This rule type is usually used in a relying party, and it applies only for users that authenticate against AD DS locally and come through the Active Directory Claims Provider Trust.

This rule template issues the specified claim only when the user has the group SID that matches the Active Directory group that the administrator specifies. All users who authenticate against AD DS will have incoming group SID claims for each group that they belong to. By default, the acceptance transform rules in the Active Directory claims provider trust pass through these group SID claims. Using these group SIDs as a basis for issuing claims is much faster than looking up the user’s groups in AD DS. For more information about the claims issuance process, see Using Claim Rules for Issuing Claims.

See Also

Other Resources

When to Use a Send Group Membership as a Claim Rule
Create a Rule to Send Group Membership as a Claim
Determine the Type of Claim Rule Template to Use
The Role of Claim Rules