1
Vote

Default exclude AD local domain groups via LDAP filter

description

According to MS best practices ADFS does not add local domain group memberships as "role" claim,
since these type of AD groups shouldnt contain users

Only AD global and universal groups should contain users and memberships are added by default (as a "role" claim to the SAML token).

Would it be an idea to add the following LDAP filter by default to the "role" claim in LDAPCP to exclude these groups: (|(groupType=-2147483646)(groupType=-2147483640))

This prevents users from selecting local domain groups, which by default cannot be used for authorisation purposes

comments