OT - ADFS Claim Rules

  • 395 Views
  • Last Post 25 September 2015
AlLilianstrom posted this 25 September 2015

We have two IdPs in use. Both are using forms based authentication

ADFS for SharePoint and Office 365.

Ping Federate everything else (Shibboleth, Mellon, OpenID, etc) including external federation

Goal is to have Ping and ADFS accept each others claims for access to the RPs configured on the respective IdPs

I'm currently working on Ping to ADFS

I have a RP on ADFS using the following claim rule. These is the typical claim that we send to RPs using ADFS

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "http://schemas.microsoft.com/ws/2008/06/identity/claims/role", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"), query = ";sAMAccountName,mail,tokenGroups,givenName,sn;{0}", param = c.Value);

If I authenticate against ADFS I see the correct information in the claim being delivered to the RP

I added Ping as a claim provider to ADFS. Ping is configured to provide the following attributes

givenname as http://schemas.microsoft.com/LiveID/Federation/2008/05/SAMLFIRST
uid/samaccountname as http://schemas.microsoft.com/LiveID/Federation/2008/05/SAMLUSER
sn as http://schemas.microsoft.com/LiveID/Federation/2008/05/SAMLLAST
email as http://schemas.microsoft.com/LiveID/Federation/2008/05/SAMLEMAIL
memberof as http://schemas.microsoft.com/LiveID/Federation/2008/05/memberOf

I can select Ping as the IdP for my test RP, authenticate, and get to the RP. Viewing the claims being sent around I see the correct claim getting from Ping to ADFS but not being delivered to the RP - which makes sense as ADFS doesn't do a query against Active Directory to get any attributes to deliver.

I've tried the following to get my claims from Ping to the ADFS RP

I put the following in the Ping claim provider rule defined in ADFS

c:[Type == "http://schemas.microsoft.com/LiveID/Federation/2008/05/SAMLUSER"]
=> issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType);

and added the following to the ADFS RP claim rule

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
=> issue(claim = c);

No change in what gets to the RP

So I tried the following

Changed the claim provider rule for the Ping IdP to

c:[]
=> issue(claim = c);

and changed the RP rule to

c:[Type == "http://schemas.microsoft.com/LiveID/Federation/2008/05/SAMLUSER"]
=> issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType);

No change in what is getting to the RP.

I have debug enabled in ADFS. No clues in the AD FS Trace log.

Any hints/clues/suggestions? I thought I understood claim rules but I'm doing something wrong.

thanks, al


--
Al Lilianstrom
Group Leader - Authentication Services

Fermi National Accelerator Laboratory
www.fnal.gov
lilstrom@xxxxxxxxxxxxxxxx

show

Order By: Standard | Newest | Votes
dddugan posted this 25 September 2015

At first blush it looks like this should work for you. Whenever working with claim rules, though, I like to test with an app that just dumps all the claims to the screen. I use a simple asp.net app. Can you pass everything from both the claims provider and the relying party temporarily and see what you're getting, if anything?


For what it's worth, the approach I've taken to allow RP's to work with different CP's is below. In my case I just use the identity from the other claim provider and look up other attributes in AD as usual.

1. For the non-AD CP, add a transform rule to issue a windowsaccountname claim that matches what AD would have provided. In this case I'm using the Azure AD STS and pulling from UPN.

@RuleName = "Issue AD windowsaccountname based on AAD UPN"
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn", OriginalIssuer == "https://sts.windows.net//"]
=> issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Value = regexreplace(c.Value, "(?[^@]+)@domain.tld", "DOMAIN\${user}"));

2. Then modify the existing RP transform rule that queries AD to work with windowsaccountname from either AD or the other claims provider (via the locally issued windowsaccountname claim). The only thing different here is Issuer =~ "(LOCAL|AD) AUTHORITY" instead of Issuer == "AD AUTHORITY".

@RuleTemplate = "LdapClaims"
@RuleName = "Pass through AD attributes"
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer =~ "(LOCAL|AD) AUTHORITY"]
=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "http://schemas.microsoft.com/ws/2008/06/identity/claims/role", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"), query = ";mail,tokenGroups(longDomainQualifiedName),userPrincipalName;{0}", param = c.Value);

Cheers.
Darin

show

AlLilianstrom posted this 25 September 2015

Hi Darin,

Thanks for the reply. I do have an app that is dumping out all the variables for my testing. Invaluable. I'm also using the SAML tracer plugin for Firefox which allows me to see what is posted by Ping to ADFS and what gets to the RP.

I'll try your suggestion to see if I can get it working. I'm not sure it's a solution that will work for us.

al

--
Al Lilianstrom
Group Leader - Authentication Services

Fermi National Accelerator Laboratory
www.fnal.gov
lilstrom@xxxxxxxxxxxxxxxx

show

Close