ADFS: Issuance Authorization Rule, group membership changes are not reflecting immediately

  • 1.3K Views
  • Last Post 06 July 2015
nidhin_ck posted this 24 June 2015

Hi Experts,
We have an ADFS trust for Box login and we have created a Issuance Authorization Rule, user will be permitted to provide claims if only user is present in one security group.But we are facing issue with this approach since the group modifications are not reflecting even though the AD is replicating perfectly fine. For example if we remove a user form Box-allowed-group, user is still not able to access BOX for next 1 to 2 hrs. Whenever user is trying to access within this time range we are getting Event ID 325.
Is this is because of any inbuilt cache mechanism for  Issuance Authorization Rule?
Is there any way to fix this issue?
Event ID 325:-The Federation Service could  not authorize token issuance for caller 'DOMAIN\XXXX'. The caller is not authorized to request a token for the relying party 'box.net'. Please see event 501 with the same instance id for caller identity.

Regards,
Nidhin CK

Order By: Standard | Newest | Votes
joe posted this 24 June 2015

Where are the group claims coming from in the Authorization Rule claims pipeline? If they come from an original lookup in the claims provider part of the pipeline, these can be cached via the SSO cookie and membership may not change immediately.
If you want to ensure that the rule is evaluated every time against AD, add the lookup of the group membership as an LDAP claim rule to the authorization rules first and then check the value.
Does that instruction make sense?
Joe K.


show

nidhin_ck posted this 24 June 2015

Our current rule applied under Issuance Authorization Rule is below. 
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value =~ "^(?i)S-1-5-21-XXXXXXXXXX$"] => issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "PermitUsersWithClaim");
Do you want to add a new custom LDAP rule under Issuance Authorization Rule? Could you pls give an example 
Regards,
Nidhin CK


Date: Wed, 24 Jun 2015 10:21:44 -0500
Subject: Re: [ActiveDir] ADFS: Issuance Authorization Rule, group membership changes are not reflecting immediately

show

joe posted this 24 June 2015

Ok, so your rule is checking for the presence of that group claim (S-1-5-21-xxxxx). This is coming from the claim provider part of the pipeline unless you are looking it up with an LDAP lookup rule in the Authorize Rules list previously. So, what that claim can either come from a new login or from the SSO cookie that the user already has. The latter behavior might not be something you want.
You can force the authorization to check against AD each time by doing an LDAP lookup in the authz rule first. Note that this will make your login to this RP slower. That's the tradeoff. It might not be a difference you actually notice though.
Is it clear to you what changes to make to do the lookup directly in the authorization rules?
Joe K.


show

nidhin_ck posted this 24 June 2015

when you say need to look AD using LDAP lookup, how do we do it? 
which option do i need to select from Rule template?. 
As i mentioned in my previous email, we already used first rule template "Permit or Deny users based on incoming claim"
   
Applied Rule:-    
Regards,
Nidhin CK


Date: Wed, 24 Jun 2015 11:55:47 -0500
Subject: Re: [ActiveDir] ADFS: Issuance Authorization Rule, group membership changes are not reflecting immediately

show

joe posted this 24 June 2015

Let me see if I can get someone on my team to give me a sample I can share on this. I'll try to get back to you shortly.
Joe K.


show

nidhin_ck posted this 30 June 2015

Hi Joe, did you find any code on how to query LDAP every time.
We have worked with MS on this case and what they have told us is that we will have to logoff and log-in to the system in order to update the group membership. But we have also provided evidence to MS is that this is not required since we have seen it is working without relogin to the machine. MS engineer said that he will check with product team on how to contact LDAP server every-time when we use  authorization (group membership) rule.
Regards,
Nidhin CK


Date: Wed, 24 Jun 2015 13:04:29 -0500
Subject: Re: [ActiveDir] ADFS: Issuance Authorization Rule, group membership changes are not reflecting immediately

show

joe posted this 30 June 2015

Hi Nidhin,
I unfortunately went on vacation before I could get a follow up on this. I sent a note to my team back at the office to see if they could dig up an example on my behalf. We'll see what we can do.
Joe K.


show

joe posted this 01 July 2015

Ok, I've managed to get my team back at the office to help out with this. I'm adding a reply to the thread to try to help them find it since they just subscribed yesterday. If this doesn't work I'll ask them to email me their solution and I'll repost here when I get a chance.
Thanks for your patience.
Joe K.


show

john.c.david posted this 01 July 2015

Hello, 
I'm John David and part of Joe Kaplan's team. This is the first forum that I saw that I need to reply via mail to post something. 
Anyways, here's the LDAP rule that you need to run prior to your groupsid check (just select custom in the template)
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]=> add(store = "Active Directory", types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid"), query = ";tokenGroups(SID);{0}", param = c.Value);
Just make sure that you have the WindowsAccountName Claim as described above in your SSO token.  Also note that this will only be executed when you refresh the RP Token, so you also need to set that to an acceptable expiration. 
-john david


show

gkirkpatrick posted this 01 July 2015

Well damn. I had no idea you could do that…

 

-gil

 

show

joe posted this 02 July 2015

John is really quite the master of claims, claim rule language and the idiosyncrasies of the claim processing pipeline. I have a very general/vague idea of how these things work at this point but he has the real skills. Thus you frequently hear me around the office saying things like "no, that can't be right" or "this really ought to be possible" but he actually figures it out and makes it happen. He should write a book or something. :)
In the meantime, maybe I can convince him to be become a part of this community and share knowledge here. 
Joe K.


show

nidhin_ck posted this 03 July 2015

Hi John,
You have mentioned that we need to set the RP token expiration time. Where can i check the expiration time in my infrastructure.
I have used below poershell cmdlet to get the properties of BOX trust and found that "TokenLifeTime" is set as zero. that means 60 min. 
"Get-ADFSRelyingPartyTrust BOX" and SSOLifetime is showing 480 min ADFS proprties
SsoLifetime                    : 480
Regards,
Nidhin CK


Date: Thu, 2 Jul 2015 11:42:35 -0500
Subject: Re: [ActiveDir] ADFS: Issuance Authorization Rule, group membership changes are not reflecting immediately

show

john.c.david posted this 03 July 2015

Hello Nidhin,

      You don't need to modify the SSO token lifetime, and that's the beauty of the approach since it will not impact your single sign on behavior.

      Setting the value of RP token lifetime depends on the scenario that you want to achieve, if you're ok with an hour before the RP token refreshes then you don't need to change it. But it looks like you want it to be shorter, so you just need to modify your tokenlifetime.

      I'm assuming that your user is already logged into the app when you're changing the group membership. That's why they need to wait, if that's the case then TokenLifetime will define your max wait time.

Regards,


John

show

gkirkpatrick posted this 03 July 2015

Books are so 2000’s. Snapchats of working ADFS configurations is the way to go...

J

 

-g

 

Sent from Mail for Windows 10 [10130]

 

 

show

yawpee posted this 06 July 2015

Hi
 
My name is   Paddler  i  ma try  to write  a  dicovery  report on our  existing  ADFS 2.0   Servers on  2008R2    SERVERS.  I would like to  document  in detail  what is  configured  on the server , what appliaction is  serving  interms of the relying  party  and end points  URLs.  Please can some one  help me where to  start.
 
Thanks
 

show

ZJORZ posted this 06 July 2015

Hijacking some threat to ask a different Q is not a good idea. Please always use a new subject From what I know, there is nothing by default available that will document your ADFS infrastructure. Is it impossible? No, not really, but you have to create it yourself in for example PowerShell Met vriendelijke groeten / Kind regards, Jorge de Almeida Pinto*: JorgeDeAlmeidaPinto@xxxxxxxxxxxxxxxx(: +31 (0)6 26.26.62.80 Description: Description: Description: Description: Think Green 

show

Close