Assuming you have a mono domain/forest AD environment, you could have the following rules:
1. Extract and send groups
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/claims/Group"), query = ";tokenGroups;{0}", param = c.Value);
Of course you could replace the issue statement by add if you actually do not need the groups themselves in the token.
2. Extract and send the url attribute for each of the previously extracted groups:
c1:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
&& c2:[Type == "http://schemas.xmlsoap.org/claims/Group"]
=> issue(store = "Active Directory", types = ("http://temp/url"), query = "(&(objectCategory=group)(samaccountname={1}));url;{0}", param = c1.Value, param = c2.Value);
Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.