Another ADFS question

  • 147 Views
  • Last Post 23 March 2017
AlLilianstrom posted this 04 April 2014

Background - Two domains that have no trust between them. All users have accounts in both domains with the same username.   The SRVC domain exists to serve web based applications per our security rules.  SharePoint 2013 using Forms based ADFS in SRVC domain.     Claims sent to SharePoint via the Relying Party Trust   c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types =  ("http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname",

 "http://schemas.microsoft.com/ws/2008/06/identity/claims/role",

 "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress") , query = ";sAMAccountName,tokenGroups,mail;{0}", param = c.Value);   Everything works.

The FER domain is where our Windows desktops reside.  I have set up ADFS in the FER domain (remember - no trust between SRVC and FER) using Windows Integrated Authentication. Users in FER have no trouble authenticating against this server.

I have set up a relationship between the two ADFS servers.  The RP rule in FER that is used to connect to the SRVC ADFS server is the same as the RP rule used in SRVC for SharePoint.  (I don’t think I need this much information in the claim. I’m thinking windowsaccountname is all I need)

 c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types =  ("http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname",

 "http://schemas.microsoft.com/ws/2008/06/identity/claims/role",

 "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"),

 query = ";sAMAccountName,tokenGroups,mail;{0}", param = c.Value);

The Claim rule in SRVC for connection from FER is where I'm having problems. I have tried numerous things and seem to be spinning in circles.   What I want to do is take the incoming windowsaccountname from FER and look up the necessary information for the same account in SRVC to complete the claim.   Two questions:   1) any guidance on the rule? I'm at a loss. Do I only need to look up the windowsaccountname from SRVC using the windowsaccountname from FER and then let my RP claim rule to SharePoint handle generating the rest of the claim?   Among my attempts   c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"] => issue(Type = c.Type, Value = regexreplace(c.Value, "(?<domain>[^\]+)\(?<user>.+)", "srvc\${user}"));   c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"] => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname&quot;,

 Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType);   c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname&quot;, Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname&quot;), query = ";samaccountname;{0}", param = c.Value);     2) Is there a simple .net app that can be installed on a IIS server that displays the claims presented?  

               Thanks, al

Al Lilianstrom lilstrom@xxxxxxxxxxxxxxxx  

Order By: Standard | Newest | Votes
yamminef posted this 04 April 2014

You can use the SAML tracer on Firefox to view the contents of the claims.



Envoyé à partir de mon Windows Phone








show

kevinrjames posted this 04 April 2014

http://technet.microsoft.com/en-us/library/dn280939.aspx

 

Step 3 in the above makes for a nice little test environment for claims transformation work.



 



 

/kj



 

show

ZJORZ posted this 04 April 2014

There are many ways of solving this, This is one of them and may not be optimal ADFS in FER domain:CP Trust “Active Directory”c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"] => issue(claim = c); c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"] => issue(Type = "http://temp.org/identity/claims/sAMAccountName&quot;, Value = RegexReplace(c.Value, "^(?i).\", ""));  RP Trust “ADFS in SRVC domain”c:[] => issue(claim = c); ADFS in SVCR domain (ASSUMING THIS FOREST ONLY HAS ONE DOMAIN OR WHEN HAVING MULTIPLE DOMAINS THE SAMACCOUNTANEM IS UNIQUE!!!):CP Trust “ADFS in FER domain”c:[Type == "http://temp.org/identity/claims/sAMAccountName"]=&gt; issue(store = "Active Directory", types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", "http://schemas.microsoft.com/ws/2008/06/identity/claims/role",  "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"), query = ";sAMAccountName,tokenGroups,mail;{0}", param = c.Value);  RP Trust “Sharepoint 2013 SRVC domain”c:[] => issue(claim = c);  Apps to display claims:.NET à http://msdn.microsoft.com/en-us/library/hh987037.aspxPHP à https://simplesamlphp.org/  Met vriendelijke groeten / Kind regards, Jorge de Almeida Pinto: JorgeDeAlmeidaPinto@xxxxxxxxxxxxxxxx(: +31 (0)6 26.26.62.80 Description: Description: Description: Description: Think Green 

show

ZJORZ posted this 04 April 2014

For claims app also look at the ZIP file at the end of the blog post:http://blogs.technet.com/b/askpfeplat/archive/2013/12/23/how-to-build-your-adfs-lab-on-server-2012-part2-web-sso.aspx  Met vriendelijke groeten / Kind regards, Jorge de Almeida Pinto: JorgeDeAlmeidaPinto@xxxxxxxxxxxxxxxx(: +31 (0)6 26.26.62.80 Description: Description: Description: Description: Think Green 

show

MyloC posted this 04 April 2014

With AD FS as the Claims Provider in the FER domain, you can convey the Windows Account Name using Name ID by transforming Windows Account Name in a claims rule on the RP pipeline to the RP-STS (SRVC). 

"urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"






since this is what AD FS in SRVC is expecting at a minimum using SAML 2.0. On the RP-STS AD FS side (SRVC) you can then mine additional claims to do the necessary lookup as Jorge explained using RegEx expressions. The constraint here, as he mentioned,

is whether multiple domains are in play.




From a SharePoint perspective, it also depends on what the primary attribute being used by the SharePoint STS is.  If it’s e-mail address then you’ll also need to: 




(a) pass through the e-mail attribute from the FER domain in the RP rule and in the CP pipeline on SRVC, assuming the mail address is populated also in the FER (AD) mail attribute.

(b) use a pivot rule on the RP-STS to extract the e-mail address as a claim in the SRVC domain, again, assuming the mail attribute is populated in SRVC..




If it’s the sAMAccountName (aka windowsaccountname), that is the primary identifier in SharePoint, then you can ignore the above  




As you may have seen, if the primary attribute/claim is missing then SharePoint 2013 adopts a ping-pong back to the RP-STS and you’ll eventually time-out with a smiley 😊




Regards,

Mylo

show

kool posted this 04 April 2014

Perhaps a dumb question, but couldn’t you configure SharePoint to use the FER ADFS and eliminate the SRVC ADFS entirely? That’s the whole point of claims-based auth; you don’t need a trust to the ADFS domain

from the RP domain, unless there are user attributes in the SRVC domain that don’t exist in the FER domain.

 

This seems like a throwback to the NT days of user domains and resource domains. Now with claims!

 

Have a good weekend!

 

    Eric

 

show

AlLilianstrom posted this 14 April 2014

Thanks for the reminder. I had forgotten about that extension.

 

               al



 

--

Al Lilianstrom

lilstrom@xxxxxxxxxxxxxxxx



 

show

AlLilianstrom posted this 14 April 2014

Thanks for the link.  Not sure how I missed that article.

 

               al



 

--

Al Lilianstrom

lilstrom@xxxxxxxxxxxxxxxx



 

show

AlLilianstrom posted this 14 April 2014

Thanks for the suggestions. I’ll give them a try this week.

 

               al



 

--

Al Lilianstrom

lilstrom@xxxxxxxxxxxxxxxx



 

show

AlLilianstrom posted this 14 April 2014

Yea – I’ve seen the ping-pong.  Several times…

L

 

We’re using samaccountname/windowsaccountname.



 

--

Al Lilianstrom

lilstrom@xxxxxxxxxxxxxxxx



 

show

AlLilianstrom posted this 14 April 2014

Yes we could.

 



We have some security rules in place that prevent that configuration.

 

               al

--

Al Lilianstrom

lilstrom@xxxxxxxxxxxxxxxx



 

show

msch posted this 23 March 2017

Hello,

 

your users would have to use the IdP-initiated login URL which should be



https://ADFS-FQDN/adfs/ls/idpinitiatedsignon.aspx?loginToRp=urn:amazon:webservices

 

Matthias

 

show

Close