Our client has a need to get rid of multiple AD Accounts of users who work for two different organizations (e.g. 50-50).
Currently those users login to the computer with the account of the organization they are working on currently and are granted access to those Sharepoint sites that has that same organizations' AD Groups permitted to those sites.
So they asked if it would be possible for those users to have only one AD Account and then create a new LDAP environment to give those AD accounts two different roles. And those roles would have different AD groups mapped to them.
And the most important question: Could we leverage those roles when the user authenticates to Sharepoint so that depending on the role the user chooses, he would only get permissions in Sharepoint to those sites which has thos AD groups that belong to the role that he has chosen.
This is a bit hard to explain and to try to get even started, but any comment would be appreciated.
Currenty they are using Sharepoint 2016 with SAML authentication via ADFS.