Information on ADFS / Sharepoint authentication rule details

I have found many walkthroughs on ADFS / SharePoint 2013, and can get the basics to work.
I'm looking for more information on designing rules and correspondences between AD groups and Sharepoint groups, roles and permissions groups.
In particular I'm interested in assigning rights in SharePoint to users based on their AD group membership. I think this involves creating identical groups in SharePoint to those in AD but I don't quite see how to implement the federation on both sides (ADFS and SP 2013)
LVL 16
Carol ChisholmAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
I will say the setup should have the user profile for ADFS already sync with SharePoint like we are using a central AD grouping and strategy of segregating the user to map to SharePoint groups (like via the syn connection import with AD) like mapping AD user "email" to ADFS  
...the next thing you need to do is update the property mappings so SharePoint knows what field you are importing, contains the value that users will use as the identity claim.  To do that go back to the UPA management page and click on the Manage User Properties link.  Scroll down and find the Claim User Identifier property and Edit it.  If there is an existing Property Mapping for Synchronization value, delete it.  Add a new one that maps the property you are importing from AD as the identity claim value.  In my case, I’m using email address as the identity claim, and in AD the user’s email address is stored in the AD attribute called “mail”....

The Claim Provider Identifier and Claim Provider Type are supposed to be set automatically when you configure the profile import connection....a profile import.  Note that instead of using domain\user for the account name, it is showing a SAML claims format with email address for the account name
https://samlman.wordpress.com/2015/03/01/mapping-user-profiles-for-saml-users-with-an-ad-import-in-sharepoint-2013/

You can see this run through as well seeing the section which it run the "Configure Identifier" which is actually using rule type of " Send LDAP Attributes as Claims " 
You can also assign users with certain claims values with special permissions in SharePoint. I’ll go ahead and add ADFS users with an “Account ID” (upn) claim value of: administrator@pbdev.local to the Site Collection Administrators group. Recall that we had mapped the inbound claim “upn” earlier in the PowerShell script and configured it as our Identifier claim.
https://blogs.perficient.com/microsoft/2011/01/updated-how-to-add-adfs-2-0-as-a-federated-identity-provider-in-sharepoint-2010/

Just some few cents worth

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft SharePoint

From novice to tech pro — start learning today.