When to Use Group-to-UPN Mapping

Applies To: Windows Server 2008

Group-to-UPN (user principal name) claim mapping is one resource account mapping method that you can use in the resource Federation Service when claims are incoming from an account partner. In this context, "group" is the account partner security group and all the incoming claims that come from its federated member accounts; "UPN" represents a single user account in the resource partner forest. Group-to-UPN mappings map the claims of multiple federated user accounts, which are members of a security group in the account partner, to a single UPN that represents a single user account in the resource partner.

You can use the Active Directory Federation Services snap-in to create an ordered list of group-to-UPN claim mappings. The order of the group-to-UPN mappings is specified in the trust policy for the Federation Service. A group-to-UPN mapping list might be as follows:

  1. Dev to devuser@adatum.com

  2. Test to testuser@adatum.com

  3. PM to pmuser@adatum.com

For example, if an incoming claim set contains (Common name=John Smith, Group=[Dev]), the organization claim set contains (Common name=John Smith, UPN=devuser@adatum.com). Because the list is ordered, a claim set of (Common name=John Smith, Group=[Dev,PM]) results in (Common name=John Smith, UPN=devuser@adatum.com).

Comparing group-to-UPN mappings to resource groups

When you use group-to-UPN mappings, audits that pertain to any user with a particular group claim contain the same mapped UPN as the user name. This means that the group-to-UPN mapping method cannot produce audits that identify which specific federated user was attempting an auditable action. This auditing limitation makes the group-to-UPN mapping method different from the resource group mapping method.

Recommendation

Group-to-UPN mappings act in similar ways to resource groups. However, because group-to-UPN mappings lack the capability to record audits in more detail, we recommend that you consider deploying either the resource account mapping method or the resource group mapping method instead. For more information about how to implement a mapping method that records detailed audits, see When to Use Resource Groups.