Hi guys,
We are allowing users in our corporate environment to sign-up for a cloud service that automatically provisions an account for them, if they are a new user and coming from our domain. We like that method as we are trying to not have to manually setup new users in this cloud service. We are using ADFS 2.0, but we are having too many employees sign-up for this cloud service and management does want to control that. Basically, we want to try and keep it simple and let our helpdesk control ActiveDirectory membership to a security group, and then only allow members of that security group to be issued claims for that site. We do not care about trying to add security groups as a claim, etc. and letting the vendor control access based on that claim, etc. unless we have to.
So I am trying to create a custom issuance rule and trying to use something similar to the rule below. Trying to set it up to check AD and see if users are a member of a security group, before allowing them permissions to be issued a claim. Can anyone tell me if this will work? I am basing this from the following website - http://blogs.technet.com/b/askds/archive/2012/06/26/an-adfs-claims-rules-adventure.aspx
exists([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value =~ "S-1-5-24-836767959-1620075141-410060929-74931"])
=> issue(Type = http://schemas.microsoft.com/authorization/claims/permit, Value = "true");
Dan Heim