Filtering the list of groups included in a token RRS feed

  • Question

  • Hi,

    We have the issue in AD that our users belong to far too many groups increasing the size of the token causing problems at the other end.

    What we need is to send out a claim called Groups that contains a list of names of groups the user is a member of. We would need to now filter this list to only include groups having the name start with ABC.

    I'm no ADFS expert and also our experts are new to the topic so I hope someone here can help guide us to the right direction? I assume we need to use claim rules of some sort?

    Current config:

    Claim config



    Friday, January 4, 2019 9:06 AM


  • 1. Remove the last item from your existing rule

    2. Create a custom rule with the following:

    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
     => add(store = "Active Directory", types = ("temp:claims/group"), query = ";tokenGroups;{0}", param = c.Value);

    3. Create another custom rules (place after the rule 2):

    c:[Type == "temp:claims/group", Value =~ "^(?i)ABC"]
     => issue(Type = "http://schemas.xmlsoap.org/claims/Group", Value = c.Value);

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Marked as answer by Devdumper Friday, January 11, 2019 11:24 AM
    Friday, January 4, 2019 1:44 PM