TechOnTip Weblog

Run book for Technocrats

Archive for February, 2016

Find ADFS Database Server details

Posted by Brajesh Panda on February 4, 2016

Get-WmiObject -namespace root/adfs -class securitytokenservice

Output from a farm where SQL is used as backed.

__GENUS : 2

__CLASS : SecurityTokenService

__SUPERCLASS :

__DYNASTY : SecurityTokenService

__RELPATH : SecurityTokenService=@

__PROPERTY_COUNT : 2

__DERIVATION : {}

__SERVER : ADFS01

__NAMESPACE : root\adfs

__PATH : \\ADFS01\root\adfs:SecurityTokenService=@

ConfigurationDatabaseConnectionString : Data Source=SQL01.techontip.local;Initial Catalog=AdfsConfiguration;Integrated

Security=True

ConfigurationServiceAddress : net.tcp://localhost:1500/policy

PSComputerName : ADFS01

Output from a farm where WID database is used

__GENUS : 2

__CLASS : SecurityTokenService

__SUPERCLASS :

__DYNASTY : SecurityTokenService

__RELPATH : SecurityTokenService=@

__PROPERTY_COUNT : 2

__DERIVATION : {}

__SERVER : ADFS02

__NAMESPACE : root\adfs

__PATH : \\ADFS02\root\adfs:SecurityTokenService=@

ConfigurationDatabaseConnectionString : Data Source=np:\\.\pipe\microsoft##wid\tsql\query;Initial

Catalog=AdfsConfiguration;Integrated Security=True

ConfigurationServiceAddress : net.tcp://localhost:1500/policy

PSComputerName : ADFS01

Posted in ADFS, Mix & Match | Tagged: | Leave a Comment »

Custom ADFS Claim Rules – Country/Office/CountryCode/SpecificGroup/FixedValue/ObjectGuid/eduPerson

Posted by Brajesh Panda on February 4, 2016

Earlier I have posted an article about Claim Language. Here it is: https://techontip.wordpress.com/2014/03/10/the-claims-rule-language-in-active-directory-federation-services/

In this article I am going to show you few regularly used custom claims, for which you need to write custom claim rules.

Before you create custom claim rules make sure you have claim descriptions created.

Custom Claim

country, office, countrycode_iso

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]

=> issue(store = "Active Directory", types = ("http://custom.techontipadfs.com/adattribute/country", "http://custom.techontipadfs.com/adattribute/office", "http://custom.techontipadfs.com/adattribute/countrycode_iso"), query = ";co,physicalDeliveryOfficeName,c;{0}", param = c.Value);

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Filtered Groups – Pass specific groups starting with a value like referral

http://blogs.technet.com/b/askds/archive/2013/05/07/ad-fs-2-0-claims-rule-language-part-2.aspx

https://social.technet.microsoft.com/wiki/contents/articles/8008.ad-fs-2-0-selectively-send-group-membership-s-as-a-claim.aspx

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Rule 1: GroupAdd

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]

=> add(store = "Active Directory", types = ("http://schemas.xmlsoap.org/claims/Group"), query = ";tokenGroups;{0}", param = c.Value);

Rule 2: GroupFilter

# Just filter one group

c:[Type == "http://schemas.xmlsoap.org/claims/Group", Value =~ "(?i)referral"]

=> issue(claim = c);

# Filter out multiple groups.

c:[Type == "http://schemas.xmlsoap.org/claims/Group", Value =~ "(?i)referral|(?i)techontip deals"]

=> issue(claim = c);

Note: Here (?i) is for not case sensitive, and | is for OR

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pass fixed value

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]

=> issue(type = "Test1", value = "Techontip Int User");

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]

=> issue(Type = "orgdir", Value = "techontip");

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pass ObjectGUID

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]

=> issue(store = "Active Directory", types = ("http://custom.techontipadfs.com/adattribute/ObjectGUID"), query = ";ObjectGUID;{0}", param = c.Value);

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

ObjectGuid

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]

=> issue(store = "Active Directory", types = ("http://custom.techontipadfs.com/adattribute/ObjectGUID"), query = ";ObjectGUID;{0}", param = c.Value);

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Transform to eduPerson Claims

Shibboleth is preconfigured to assert multiple attributes of the eduPerson object class, which is specially designed for higher education institutions. These are not configured by default in AD FS 2.0. Also, Shibboleth expects inbound SAML attributes names to use a different name format (urn:oasis:names:tc:SAML:2.0:attrname-format:uri) than AD FS 2.0 publishes by default (urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified). For these reasons, we will use the AD FS 2.0 custom rule language to generate Shibboleth-compliant claims.

http://technet.microsoft.com/en-us/library/gg317734%28v=ws.10%29.aspx#BKMK_EditClaimRulesforRelyingPartyTrust

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1. 1st add a normal LDAP Claim – like UserPrincipal to UPN

2. 2nd Transform above claim to eduPerson claim. Below example converts above UPN to eduPerson. Here "urn:oid:0.9.2342.19200300.100.1.1" can be anything, as per application config.

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"%5D

=> issue(Type = "urn:oid:0.9.2342.19200300.100.1.1", Value = c.Value, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/attributename"%5D = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri");

Posted in ADFS, Mix & Match | Tagged: | Leave a Comment »

 
%d bloggers like this: