Create an Incoming Group Claim Mapping
Applies To: Windows Server 2008
In Active Directory Federation Services (AD FS), incoming group claim mappings are used in the resource Federation Service to transform group claims that are sent by an account partner into organization claims that can be used by the resource partner to make authorization decisions.
For example, an account partner might send a security token for a user that contains the group claim SalesReps. Because the resource partner cannot make authorization decisions based on the account user's membership in the SalesReps group, an incoming group claim mapping is used to map the incoming group claim that is named SalesReps in the account Federation Service to the organization group claim that is named Purchasers in the resource Federation Service. The resource itself provides access to the local security group to which the Purchasers claim is mapped.
Perform this procedure on a resource federation server. To perform this procedure, you must have created an organization group claim to which you can map the incoming claim.
Membership in Administrators, or equivalent, on the local computer is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).
To create an incoming group claim mapping
Click Start, point to Administrative Tools, and then click Active Directory Federation Services.
Double-click Federation Service, double-click Trust Policy, double-click Partner Organizations, double-click Account Partners, right-click your account partner, point to New, and then click Incoming Group Claim Mapping.
In the Create a New Incoming Group Claim Mapping dialog box, in Incoming group claim name, type the name of the group claim that your account partner sends to you.
In Organization group claim, select the group claim that you will use in your organization to map the incoming group claim to, and then click OK.