SAML authentication + AD groups

Jan 7, 2014 at 12:53 AM
Hi,

Using this solution for AD users works fine for me https://ldapcp2010.codeplex.com/

However, I'm having issues with trying to get AD groups to pass through users within them. I can look up AD groups in people picker with no issues but when users try to log on, they get access denied.

Any suggestions would be much appreciated.

Thank you.
Coordinator
Jan 7, 2014 at 2:19 PM
Hello,
what is the claim type associated to AD groups ?
By default LDAPCP 2010 assumes it is http://schemas.xmlsoap.org/claims/Group, but you can change it in the central admin > security > claim type mapping page if you're using a different one.
cheers,
Yvan
Jan 8, 2014 at 12:46 AM
Hi,

Everything is set to default. Claim type is http://schemas.xmlsoap.org/claims/Group
Jan 8, 2014 at 2:47 AM
Ok, did some more digging/playing around and I've managed to get this to work.

I've re-created claim rules to use token-groups - unqualified names and role type and added claim type in LDAPCP to use http://schemas.microsoft.com/ws/2008/06/identity/claims/role with samaccountname as LDAP attribute as well as group as object class. Everything is working now.

Cheers.
Jun 4, 2014 at 6:15 PM
James,

Can you post a screenshot of how you did this? I'm running into the same error. This is my claims list:
Image

Here's my search results:

Image
Jun 19, 2014 at 3:56 AM
Edited Jun 19, 2014 at 5:07 AM
I can't see your screen shots but I've attached mine.

This is LDAPCP

Image

and this is AD FS

Image