locked
ADFS Group restriction RRS feed

  • Question

  • Hello

    ADFS 2.0 role on Server 2008 R2.

    I have created a RPT with a claim rule that transforms the AD attribute Token-Groups - Unqualified Names to a claim type named Groups.  This fails on the configured system with the following error: 'Invalid group lookup: SAML assertion contains too many values for 'Groups'. Please contact your Identity Provider or Federation Services administrator.'

    Using example from Problem 1 as the basis http://social.technet.microsoft.com/wiki/contents/articles/16161.ad-fs-2-0-using-regex-in-the-claims-rule-language.aspxI have tried to limit the values that are sent to only include those relevant to the system.

    Get Group Membership
    c:[Type == "//schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
     => add(store = "Active Directory", types = ("http://schemas.xmlsoap.org/claims/Group"), query = ";tokenGroups;{0}", param = c.Value);

    Send Only Required Groups
    c:[Type == "http://schemas.xmlsoap.org/claims/Group", Value =~ "(?i)^My\s+Group*"]
     => issue(Type = "http://schemas.xmlsoap.org/claims/Group", Value = c.Value, ValueType = "Groups");

    The error now thrown is: 'Failed to process SAML assertion: The status code of the Response was not Success, was Responder.'

    Please advise on whether it is possible to send a filtered value and the correct syntax.

    Thanks

    Paul.

    Tuesday, November 22, 2016 11:27 AM

Answers

  • Have you tried not to add: ValueType = "Groups" ?

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Tuesday, November 22, 2016 3:45 PM

All replies

  • Have you tried not to add: ValueType = "Groups" ?

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Tuesday, November 22, 2016 3:45 PM
  • Any news?

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, November 25, 2016 8:16 PM