SAML authentication + AD groups

Jan 7, 2014 at 12:53 AM

Using this solution for AD users works fine for me

However, I'm having issues with trying to get AD groups to pass through users within them. I can look up AD groups in people picker with no issues but when users try to log on, they get access denied.

Any suggestions would be much appreciated.

Thank you.
Jan 7, 2014 at 2:19 PM
what is the claim type associated to AD groups ?
By default LDAPCP 2010 assumes it is, but you can change it in the central admin > security > claim type mapping page if you're using a different one.
Jan 8, 2014 at 12:46 AM

Everything is set to default. Claim type is
Jan 8, 2014 at 2:47 AM
Ok, did some more digging/playing around and I've managed to get this to work.

I've re-created claim rules to use token-groups - unqualified names and role type and added claim type in LDAPCP to use with samaccountname as LDAP attribute as well as group as object class. Everything is working now.

Jun 4, 2014 at 6:15 PM

Can you post a screenshot of how you did this? I'm running into the same error. This is my claims list:

Here's my search results:

Jun 19, 2014 at 3:56 AM
Edited Jun 19, 2014 at 5:07 AM
I can't see your screen shots but I've attached mine.

This is LDAPCP


and this is AD FS