We have a ADFS Server running on windows 2016, which should support OAuth2 and openid-connect. We are trying to disclose a webapplication which uses openid-connect but expects groupmembership in a claim "groups". There are guides available how to achieve this on Azure AD, however we would like to configure this with our on-premises ADFS server. so far i've been unsuccesfull.
In azure AD one would have to edit the manifest file and add/edit the value "groupMembershipClaims" when set to the correct value it will send groups along in the claim.
I have tried adding a claims description for "groups" mapped to this claim type; http://schemas.microsoft.com/ws/2008/06/identity/claims/groups and then returning "Token-Groups - Unqualified Names" In that claim, which is not being accepted. I have also tried adding multiple rules of "Send Group Membership as Claim" with as outgoing claim type the default "group" claim. this also was not successfull.
Besides as additional question does anyone know how to de-crypt the response given by the ADFS server, when i capture the response cookie from out ADFS servers its a MSISAuth type cookie, but i have unable to see the content of it. it does not appear to be BASE64 encoding.
Does anyone have an idea how this could be achieved?