TechOnTip Weblog

Run book for Technocrats

Archive for the ‘ADFS’ Category

ADFS: NameID Claim with Additional Properties

Posted by Brajesh Panda on May 26, 2016

Lately I was doing a SAS application (Axxerrion) integration with our ADFS. And they had a requirement to get a few things as additional properties i.e. spnamequalifier, namequalifier & nameID format to be mentioned as transient.

Here what I came up with. They also needed UPN for validation. So in 1st rule I am creating two outgoing claims. In 2nd custom rule, I am adding attributes to the Outgoing NameID claim. Final claim screenshot is at the bottom.

Claim Rules

Rule 1:

claim

 

 

 

 

 

 

 

 

 

Rule 2:

c:[Type == “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier“]

=> issue(Type = “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier“, Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties[“http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format“] = “urn:oasis:names:tc:SAML:2.0:nameid-format:transient”, Properties[“http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/namequalifier“] = “https://<Adfs_URL>/adfs/ls/“, Properties[“http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier“] = “https://test.axxerion.us/axxerion/“);

Saml Claim thru SAML Tracer

Advertisements

Posted in ADFS | Leave a Comment »

Find ADFS Database Server details

Posted by Brajesh Panda on February 4, 2016

Get-WmiObject -namespace root/adfs -class securitytokenservice

Output from a farm where SQL is used as backed.

__GENUS : 2

__CLASS : SecurityTokenService

__SUPERCLASS :

__DYNASTY : SecurityTokenService

__RELPATH : SecurityTokenService=@

__PROPERTY_COUNT : 2

__DERIVATION : {}

__SERVER : ADFS01

__NAMESPACE : root\adfs

__PATH : \\ADFS01\root\adfs:SecurityTokenService=@

ConfigurationDatabaseConnectionString : Data Source=SQL01.techontip.local;Initial Catalog=AdfsConfiguration;Integrated

Security=True

ConfigurationServiceAddress : net.tcp://localhost:1500/policy

PSComputerName : ADFS01

Output from a farm where WID database is used

__GENUS : 2

__CLASS : SecurityTokenService

__SUPERCLASS :

__DYNASTY : SecurityTokenService

__RELPATH : SecurityTokenService=@

__PROPERTY_COUNT : 2

__DERIVATION : {}

__SERVER : ADFS02

__NAMESPACE : root\adfs

__PATH : \\ADFS02\root\adfs:SecurityTokenService=@

ConfigurationDatabaseConnectionString : Data Source=np:\\.\pipe\microsoft##wid\tsql\query;Initial

Catalog=AdfsConfiguration;Integrated Security=True

ConfigurationServiceAddress : net.tcp://localhost:1500/policy

PSComputerName : ADFS01

Posted in ADFS, Mix & Match | Tagged: | Leave a Comment »

Custom ADFS Claim Rules – Country/Office/CountryCode/SpecificGroup/FixedValue/ObjectGuid/eduPerson

Posted by Brajesh Panda on February 4, 2016

Earlier I have posted an article about Claim Language. Here it is: https://techontip.wordpress.com/2014/03/10/the-claims-rule-language-in-active-directory-federation-services/

In this article I am going to show you few regularly used custom claims, for which you need to write custom claim rules.

Before you create custom claim rules make sure you have claim descriptions created.

Custom Claim

country, office, countrycode_iso

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname&quot;, Issuer == "AD AUTHORITY"]

=> issue(store = "Active Directory", types = ("http://custom.techontipadfs.com/adattribute/country", "http://custom.techontipadfs.com/adattribute/office", "http://custom.techontipadfs.com/adattribute/countrycode_iso"), query = ";co,physicalDeliveryOfficeName,c;{0}", param = c.Value);

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Filtered Groups – Pass specific groups starting with a value like referral

http://blogs.technet.com/b/askds/archive/2013/05/07/ad-fs-2-0-claims-rule-language-part-2.aspx

https://social.technet.microsoft.com/wiki/contents/articles/8008.ad-fs-2-0-selectively-send-group-membership-s-as-a-claim.aspx

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Rule 1: GroupAdd

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname&quot;, Issuer == "AD AUTHORITY"]

=> add(store = "Active Directory", types = ("http://schemas.xmlsoap.org/claims/Group"), query = ";tokenGroups;{0}", param = c.Value);

Rule 2: GroupFilter

# Just filter one group

c:[Type == "http://schemas.xmlsoap.org/claims/Group&quot;, Value =~ "(?i)referral"]

=> issue(claim = c);

# Filter out multiple groups.

c:[Type == "http://schemas.xmlsoap.org/claims/Group&quot;, Value =~ "(?i)referral|(?i)techontip deals"]

=> issue(claim = c);

Note: Here (?i) is for not case sensitive, and | is for OR

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pass fixed value

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname&quot;, Issuer == "AD AUTHORITY"]

=> issue(type = "Test1", value = "Techontip Int User");

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname&quot;, Issuer == "AD AUTHORITY"]

=> issue(Type = "orgdir", Value = "techontip");

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pass ObjectGUID

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname&quot;, Issuer == "AD AUTHORITY"]

=> issue(store = "Active Directory", types = ("http://custom.techontipadfs.com/adattribute/ObjectGUID"), query = ";ObjectGUID;{0}", param = c.Value);

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

ObjectGuid

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname&quot;, Issuer == "AD AUTHORITY"]

=> issue(store = "Active Directory", types = ("http://custom.techontipadfs.com/adattribute/ObjectGUID"), query = ";ObjectGUID;{0}", param = c.Value);

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Transform to eduPerson Claims

Shibboleth is preconfigured to assert multiple attributes of the eduPerson object class, which is specially designed for higher education institutions. These are not configured by default in AD FS 2.0. Also, Shibboleth expects inbound SAML attributes names to use a different name format (urn:oasis:names:tc:SAML:2.0:attrname-format:uri) than AD FS 2.0 publishes by default (urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified). For these reasons, we will use the AD FS 2.0 custom rule language to generate Shibboleth-compliant claims.

http://technet.microsoft.com/en-us/library/gg317734%28v=ws.10%29.aspx#BKMK_EditClaimRulesforRelyingPartyTrust

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1. 1st add a normal LDAP Claim – like UserPrincipal to UPN

2. 2nd Transform above claim to eduPerson claim. Below example converts above UPN to eduPerson. Here "urn:oid:0.9.2342.19200300.100.1.1" can be anything, as per application config.

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"%5D

=> issue(Type = "urn:oid:0.9.2342.19200300.100.1.1", Value = c.Value, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/attributename"%5D = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri");

Posted in ADFS, Mix & Match | Tagged: | Leave a Comment »

LoginToRP – Auto Select Relaying Party

Posted by Brajesh Panda on January 11, 2013

From last couple of weeks I was working to integrate few cloud based applications to our corporate active directory using AD FS 2.0 & SAML Web SSO.

All of these cloud providers support only IdP initiated SSO with ADFS. Before this integration we have had only SharePoint integrated to our AD FS farm. So never got exposed to IDP initiated method/procedures in our environment

While using IdP initiated sign on, user has to visit https://<ADFS-Public-URL>/adfs/ls/idpinitiatedsignon.aspx to get a list of Relaying Party & select the RP & sign to access the application. Even if you go to the service provider’s application URLs directly, they will redirect you to this URL. But I was not impressed with the default relaying party selection page. It need some level of branding work to release it to end users. And after all need little bit effort to inform users about this selection stuff, because this is going to be new to our environment.

While researching how to get rid of this; I found “LoginToRP” parameter; using this we can create a special URL thru which we can forcefully select a relaying party. So instead of redirecting the application to above default IdP initiated sign on URL, if we can redirect the application to this new URL, we can avoid the manual section drop down list of relaying party.

Here is how the new URL looks like;

https:// https://<ADFS-Public-URL >/adfs/ls/idpinitiatedsignon.aspx?LoginToRP=RelayingPartyIdentifier

Instead of RelayingPartyIndentifier you have to type Identifier information for that relaying party. You can find this information from relaying party properties & identifier tab in your ADFS farm. It can be URL, word or in URN format.


Here is another way to do this http://blogs.technet.com/b/askds/archive/2012/09/27/ad-fs-2-0-relaystate.aspx

Posted in ADFS | Tagged: | 4 Comments »

SAML Claim Viewer

Posted by Brajesh Panda on January 3, 2013

From last few weeks I was integrating some applications to our ADFS farm. Well we have integrated more than 20 (Dev/Prod) instances. All of them working well; some of them are from our SharePoint 2010 Farm & some from external Cloud providers. And we are looking forward to integrate all applications into this platform. Free Active Directory Federation Services 2.0 is a great enabler for these technologies. Well there are few limitations/restrictions with this product but right now it is okay for us. For troubleshooting you may be wondering how I can see these invisible claims & make sure my claim rules etc. are configured correctly. I found two free tools for this purpose. All Credit & tanks goes to those developers who built them.

1. SharePoint Claim Viewer Web part: You can download this web part from http://blog.helloitsliam.com/Lists/Posts/Post.aspx?ID=80 and deploy it in your SharePoint farm. At the bottom of the page you will find the download link, or click it here. It is a nice & handy tool to see claim details. Here is a screenshot –


2. Firefox SAML Tracer; While the 1st one is specially developed for SharePoint, this Firefox Plugin can be used to trace any saml integrated web application. So you download SAML Tracer from here and install it in Firefox. If you are using recent version of Firefox you will able to see this plug-in under Firefox Menu – Web Developer – SAML Tracer. By clicking this start SAML Tracer tool (another window will come up) & just go ahead start accessing a SAML enabled Application. It will keep tracing all those URLs & related SAML Assertion claim etc. It also mark SAML HTTP header as SAML in colored fonts & also format the SAML claim in right format.



Posted in ADFS | Tagged: , , | Leave a Comment »

ADFS Troubleshooting

Posted by Brajesh Panda on November 16, 2012

This TechNet Troubleshooting page is really help full with all those Event IDs.

Lately found a solution for Passive Federation Requests.

http://technet.microsoft.com/en-us/library/adfs2-troubleshooting-fedpassive-request-failures(WS.10).aspx

Posted in ADFS | Leave a Comment »

How Claim Based Authentication Works?

Posted by Brajesh Panda on October 12, 2012

RP Domain & IdP Domain

ADFS WebSSO

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Here is another complex one with details;

Source: http://msdn.microsoft.com/en-us/library/ff359108.aspx

 

Posted in ADFS, Claim Based Authentication | Tagged: | Leave a Comment »

 
%d bloggers like this: