Use custom claim description to send group membership from AD FS to ETP
Before you begin
To redirect users to AD FS login portal for
completing authentication, you also need to configure the LDAP attributes that are sent
from AD FS to ETP using claims.
Claims rules control which Active Directory (AD) attributes are returned to the relying party endpoint once a user has been authenticated. For example, it could be the application user’s email address or user’s AD group membership information. The minimum requirement for ETP is the user’s email address. It needs to be returned as a part of the Name ID attribute.
The IT administrator can create a custom claims description in AD FS, associate it with the correct LDAP attribute, and add it to the relying party trust. This allows AD FS to send the user’s group membership to ETP.