Let's have the full solution on this new platform to avoid the back and fourth to the original post to the old platform :)
First you need a rule that extract the distinguishedName attribute of the user:
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> add(store = "Active Directory", types = ("claim:/temp/dn"), query = ";distinguishedName;{0}", param = c.Value);
Couple of things about this rule. It needs to be placed first to ensure that the subsequent rules have the output of this rule to work with. Then, it is an "add" statement, not an "issue" statement. It means that the output of the rule will not be in the final token. When we use "add" we just make the output of the rule available for other rules. Then the claim type "claim:/temp/dn" is just a temporary variable. It can have any name really. It is a good practice that claim type have a URI format, but because we don't issue this temporary claim, we don't really care really. Also, you do not need to add this claim type in the claim definition of your ADFS console.
Then you check if the user is in the Student OU. The easiest way to do it is with the following rule:
c:[Type == "claim:/temp/dn", Value =~ "(OU=Students)"]
=> issue(Type = "eduPersonAffiliation", Value = "Student");
We simply check if the temporary variable which holds the distinguishedName of the user has the string "OU=Students" in it. You don't have to add th entire path of the OU. And the check is case sensitive. So make sure it has the right spelling. This time it is an issue statement because we want the claim type "eduPersonAffiliation" to be in the final token. Note that you do not need "Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, ValueType = c.ValueType" as this information will actually not be issued in the token anyway. Also, the claim type "eduPersonAffiliation" doesn't have a URI format. Which seems to be fine for your relying party as it uses SAML2. If the relying party was using WS-Federation the token issuance would fail. And at the end of the day, it is the application owner that decide what is the claim type they need. So not really your call...
And the final rule:
c:[Type == "claim:/temp/dn", Value =~ "(OU=Employees)"]
=> issue(Type = "eduPersonAffiliation", Value = "Employee");
So you add those three rules as custom claim rules in this order and you will be fine.
Let us know how that goes.