HELP: AD FS no longer sending groups to CloudFlare

Last Thursday night ‘something’ happened which resulted in getting an error every time CF tried to contact Windows AD- it just bombed out with a fatal error.
From my point of view, nothing had been changed on the CF side, so my finger was pointed firmly at the AD box.

I ran through the SAML | Active Directory® guide which resulted in the two once again completing a handshake and users being able to log in to defined applications.

However, some of these applications have additional policies relating to a user must be a member of group X and all the logins to these are failing with ‘That account does not have access.’
If I add an additional policy of allow if my email, then I can access it fine.

When I perform a test on Zero Trust > Settings > Authentication with my email it will return an object but all nodes other than email are empty.

To me it seems like AD is preventing the information flowing in.

Has anyone had something like this before?

Thanks in anticipation.


1 Like

I added 2 Claim Issuance Policies in AD FS (Windows Server 2019):
Screenshot 2022-08-30 at 10.40.14

I ran the test once more, this time using firefox and the SAML-Tracer plugin, which showed me what I was receiving from ADFS:
Screenshot 2022-08-30 at 10.42.22

Noticing the ‘Attribute Name’ was set to a long url, I decided to try a series of values in the SAML attributes settings:
Screenshot 2022-08-30 at 10.44.11

On running the test again I now receive the following:

We can see that an array of the groups I’m after now trickle through in to the JSON.

However I am still unable to apply these rules to an application i.e.

Although I’m moving forward I’m still a bit lost.

Any suggestions gratefully received.

Kind regards,


We finally got there:

We just needed to update out Authentication Page with the following values:

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.