I previously asked a similar question about doing this in Azure AD. However, I've come to the conclusion that it is probably too limited to do this and I received no answers.
However, in ADFS there is a lot more flexibility.
I want to convert an active directory user's group membership to a single : delimited/enclosed string. So, if the AD user is a member of Group1 and Group2, then a claim will be issued with a string value of :Group1:Group2:. Or, preferably, it would use the SID of the group which is immutable.
I don't think there is any built in way to do this based on my research, but maybe someone is more familiar with the claims rule language that can provide a method? Otherwise, it looks like I might be able to create a custom attribute store which can pretty much utilize any .NET code I want to process claims, as described here.
Before I go down the road of creating my own custom attribute store, is anyone aware of a way to do what I am trying to do either using built-in ADFS functionality, or by utilizing a publicly provided custom attribute store similar to this one here?
I am running ADFS 4.0.
The best would be to go down the custom attribute store.
Claims rules don't really work for an indeterminate number of claims.