Restricting Groups
AD FS 2.0 federates all the groups of a user, by default. You can restrict the groups to only those to which policies will be applied. Zscaler recommends putting users in groups that begin with a specific word, such as Internet, to facilitate applying restrictions on group federations, For example, you can create groups such as Internet general, Internet Restricted, etc.
To restrict the groups:
1. Remove the group mapping from the rule that you created when you added a claim rule.
To edit the existing claim rule:
a. In the AD FS 2.0 Management window, open the Trust Relationships > Relying Party Trustsfolder.
b. Right-click the relying party trust that you created and select Edit Claim Rules.
c. When the Edit Claim Rules window appears, click Edit Rule to modify the rule that you created when adding a claim rule.
d. In the Configure Claim Rule window, delete the row that mapped the LDAP attribute for group to a claim rule type.
e. Click OK.
2. Create a new rule for group membership.
To add a new rule for group membership:
a. In the ADFS 2.0 Management window, open the Trust Relationships > Relying Party Trustsfolder.
b. Right-click the relying party trust that you created and select Edit Claim Rules.
c. When the Edit Claim Rules window appears, click Add Rule.
d. Select Send Claims Using a Custom Rule and click Next.
e. In the Custom Rule window, do the following:
· Enter a name for this rule, such as “Return Group Membership”.
· In the custom rule box, enter the following text to enumerate the group membership and put it into an array called
memberOf): c:[Type== http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => add(store = "Active Directory", types = ("memberOf"), query = ";tokenGroups;{0}", param = c.Value);
f. Click Finish.
g. Click Add Rule.
h. Select Send Claims Using a Custom Rule and click Next.
i. In the Custom Rule window, do the following:
· Enter a name for this rule, such as “Restrict Group Membership”.
· In the custom rule box enter something like the following:
c:[Type == "memberOf", Value =~ "Internet.+"] => issue(claim = c);
The preceding regular expression matches any group name that begins with “Internet”. E.g. ‘Internet Access’ or ‘InternetGroup3’ or ‘Internet Restricted’
c:[Type == "memberOf", Value =~ “Sales|Marketing|HR”] => issue(claim = c);
The preceding regular expression matches only 3 groups - “Sales”, “Marketing” and “HR”
c:[Type == "memberOf", Value =~ “AccessLevel[1-9]”] => issue(claim = c);
The preceding regular expression matches any group name that begins with “AccessLevel” and then has a number 1 to 9. E.g. ‘AccessLevel1’ or ‘AccessLevel7’\
c:[Type == "memberOf", Value =~ "Internet.+"] => issue(claim = c);
The preceding regular expression matches any group name that begins with “Internet”. E.g. ‘Internet Access’ or ‘InternetGroup3’ or ‘Internet Restricted’
c:[Type == "memberOf", Value =~ “Sales|Marketing|HR”] => issue(claim = c);
The preceding regular expression matches only 3 groups - “Sales”, “Marketing” and “HR”
c:[Type == "memberOf", Value =~ “AccessLevel[1-9]”] => issue(claim = c);
The preceding regular expression matches any group name that begins with “AccessLevel” and then has a number 1 to 9. E.g. ‘AccessLevel1’ or ‘AccessLevel7’\
f. Click Finish.