Configuring ADFS to automatically add users to groups

  • Updated

Contrast can automatically add users to groups when logging in via SSO. This article outlines the steps required to configure ADFS to pass group information to Contrast.


In order for this to work, you must:

  1. Configure SSO login
  2. Enable the Add users to their Contrast groups upon SSO login option, as detailed here
  3. Create groups in Contrast with identical names to groups from your SSO IDP
  4. Configure your IDP to pass group information when users login to Contrast via SSO


  1. On your ADFS server, open the AD FS Management tool:
  2. In the left pane, select Relying Party Trusts
  3. Select the entry created to allow SSO to your Contrast instance
  4. Press Edit Claim Issuance Policy... in the right pane

    Screenshot of the AD FS Management console, highlighting steps necessary to edit the claim issuance policy


We'll now need to create 3 custom rules in the following order:

  1. Rule Name: Store DN
    Custom Rule:
    c:[Type == "", Issuer == "AD AUTHORITY"]
     => add(store = "Active Directory", types = (""), query = ";distinguishedName;{0}", param = c.Value);
    Description: Stores the user DN for use in subsequent rules.

  2. Rule Name: Get Groups
    Custom Rule:
    c1:[Type == "", Issuer == "AD AUTHORITY"]
     && c2:[Type == ""]
     => add(store = "Active Directory", types = (""), query = "(member:1.2.840.113556.1.4.1941:={1});samaccountname;{0}", param = c1.Value, param = c2.Value);
    Description: Retrieves groups the user is a member of.

  3. Rule Name: Contrast Groups
    Custom Rule:
    c:[Type == ""]
     => issue(Type = "contrast_groups", Value = c.Value);
    Description: Emits a contrast_group element for each group into the SAML assertion.

For each of these, please follow the steps:

  1. Press Add Rule...
  2. Select Send Claims Using a Custom Rule
  3. Enter the rule name and Custom rule
  4. Press Finish

Once finished, the Claim Issuance Policy should look as follows:

Screenshot of the AD FS Edit Claim Issuance Policy for Contrast panel after adding the custom rules

(Rule 4 in this screenshot is a rule to map the user's email address and optionally first/surname attributes, as described here; it may appear above or below the 3 rules required to add users to groups)

Exposing only some groups

Rule 3 defined above will cause a group element to be emitted for every group the user is a member of. If you would rather restrict the groups that are emitted, you can do so. For example, the following custom rule would emit only groups with a name beginning with "Contrast":

c:[Type == "", Value =~ "(?i)Contrast"]
 => issue(Type = "contrast_groups", Value = c.Value);

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request