There is an unsaved comment in progress. You will lose your changes if you continue. Are you sure you want to reopen the work item?
Default exclude AD local domain groups via LDAP filter
According to MS best practices ADFS does not add local domain group memberships as "role" claim,
since these type of AD groups shouldnt contain users
Only AD global and universal groups should contain users and memberships are added by default (as a "role" claim to the SAML token).
Would it be an idea to add the following LDAP filter by default to the "role" claim in LDAPCP to exclude these groups: (|(groupType=-2147483646)(groupType=-2147483640))
This prevents users from selecting local domain groups, which by default cannot be used for authorisation purposes