ADFS Group DN filter not working

Stephane Favre 21 Reputation points

Hi all

We have an ADFS 3.0 farm, and need to include the group DN into the claim.

I have the following 2 rules, the first one successfully pulls the DNs of all the user's groups. Worried about token bloat since some users have 100s of group memberships.

The second one (Role) is meant to filter based on DNs starting with "CN=xyz*", but its not working.

Any ideas?


c1:[Type == "", Issuer == "AD AUTHORITY"]
&& c2:[Type == ""]
=> issue(store = "Active Directory", types = ("http://group/DN"), query = "(&(objectClass=group)(objectSID={1}));distinguishedName;{0}", param = c1.Value, param = c2.Value);

c:[Type == "http://group/DN", Value =~ "^CN=XYZ*"]
=> issue(claim = c);

Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,112 questions
0 comments No comments
{count} votes

Accepted answer
  1. Pierre Audonnet - MSFT 10,121 Reputation points Microsoft Employee

    You are issuing all the DNs with the first rule. You need to replace the "issue" statement with an "add" statement.

    (also, there are typos like extra ";" in the first rule, but it might just be copy paste errors)

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Stephane Favre 21 Reputation points

    So being a techie and not a dev at all, plus no readily info on those matter, I have had to "figure out" how this stuff works. So I assume "issue" statement is like a closure on the command stating that nothing else needs to be done, issue that part of the token, and "add" takes that dataset into the next rule as per sequential order?

    I amended my rule and tested, got the exact expected result so thank you for the assistance. (and teaching me something!)

    PS i think the extra characters were copy paste errors

    0 comments No comments