Mapping groups from the AD via AD FS to the Grid

In general, roles should be maintained in IFS, with matching role mappings in the grid. In some cases however, it is desirable to use groups which are already maintained in the Active Directory, and configure access to grid functionality based on such group membership. It is possible to add group membership claims that are included in the authentication responses from AD FS. Claims must be configured one by one for each group that needs mapping.

To map an AD group membership into a grid role membership

  1. In the AD FS 2.0+ Management console, expand Trust Relationships > Relying Party Trusts and find the one corresponding to your grid installation. Right-click and select Edit claim rules.
  2. Click Add rule… to open the claim rule wizard. In the drop-down list, select Send Group Membership as a Claim, then click Next.
  3. Give your claim rule a name, for example "Emit <AD group> as claim".
  4. In the User’s group field, click Browse… and find the group you want to emit.
  5. As outgoing claim type, choose "Security Role".
  6. As outgoing claim value, type the group name or a simplified variation of the group name. This is the value that must be mapped in the grid role mapping UI.
  7. Click Finish.

The configured group will now be transmitted as a security role claim when a user in that group logs on to the grid. To map this group to a grid role, use the outgoing claim value configured above as a custom global role in the grid role mapping UI.