With an Identify Provider of Active Directory Federation Services (AD FS) on-prem with a SAML client, we are trying to capture an AD Groups collection.
Is this possible? If so, how? If not, why? Not sure why this seems so hard to accomplish in the “standard” brokering intergration…
So, AD Groups will show up in User Attributes as defined under the Identity Provider AD FS broker Groups - http://schemas.xmlsoap.org/claims/Group mapping. So we can see them come in a group (Attribute Value)… but we’re not sure how to use that in the clients scoping.
To help a bit more with my question, we’re linking with sonarqube - by default, with AD FS, it will take in the groups claims schema and if users are assigned an AD_ADMIN or AD_CREATE or AD_QUALITY group they are given appropriate rights. Even if we can’t get all groups, being able to map these 3 groups into a collection would be better than nothing. But it would have to be recognizable by SonarQube–as it allows you to map a claims schema or named group entity.
Hopefully, this helps…