This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(172.8, 7.000000000000001%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
I try to generate a PPID claim on ADFS windows 2019 with the rule (from https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/technical-reference/when-to-use-a-custom-claim-rule) :
c:[Type == "https://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
=> issue(store = "_OpaqueIdStore", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier"), query = "{0};{1};{2}", param = "ppid", param = c.Value, param = c.OriginalIssuer);
But my setup is a two nodes ADFS Farm (with SQL cluster as a back end) behind a load balancer
My problem is that each node generate a different PPID for the same user.
To my understing adfs should generate the same PPID from both servers?
Is it possible (and how) with _OpaqueIdStore to generate same PPID from different servers of the same ADFS farm ?
Thank you in advance.
Are you sure they are both members of the same farm?
What do you get when you run this on both nodes:
Get-ADFSFarmInformation
thank you Pierre
from both nodes, Get-ADFSFarmInformation gives :
CurrentFarmBehavior : 4
FarmNodes : {I-IDD-A0.contoso.com, I-IDD-B0.contoso.com}
FarmRoles : {UserState}
Servers are both Server 2019 build 17763.1098 now.
Each node continue to give a different value for same user.
I cannot repro in my lab. DO you mind copy/pasting the exact rules you are using for this relying party?
context : we build an Identity Provider (SAML 2) announced in Research Federation (FER in France and EduGain)
We have in fact two claims rules
firstrule : Synthesize Persistent-ID
c1:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
=> add(store = "_OpaqueIdStore", types = ("http://i-idd.contoso.com/internal/persistid"), query = "{0};{1};{2}", param = "ppid", param = c1.Value, param = c1.OriginalIssuer);
second rule : Issue NameID persistent eduPersonTargetedID
c:[Type == "http://i-idd.contoso.com/internal/persistid"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Value = c.Value, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "https://test-sp.federation.renater.fr", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/namequalifier"] = "http://i-idd.contoso.com/adfs/services/trust");
from first node it generate the following (in response to auth request from service provider
<Subject>
<NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
NameQualifier="http://i-idd.contoso.com/adfs/services/trust"
SPNameQualifier="https://test-sp.federation.renater.fr">X89GytsVbVU/CJRIaTIkSY7aM+zHTxfO6fQEyWky1pE=</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData InResponseTo="_43316f4d8bec99f1e007d03e4c61d050"
NotOnOrAfter="2020-03-13T16:35:57.912Z"
Recipient="https://test-sp.federation.renater.fr/Shibboleth.sso/SAML2/POST" />
</SubjectConfirmation>
</Subject>
Are your users all coming for the Active Directory claim provider trust?
Also, do you have any other rules on the RP else than those two?
from second node we obtain
<Subject>
<NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
NameQualifier="http://i-idd.contoso.com/adfs/services/trust"
SPNameQualifier="https://test-sp.federation.renater.fr">3BlZDv1YYF1knAcJaXyyojqQ4MarlOBwz38a+vngpYc=</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData InResponseTo="_528f9fc0f3b8da19be2ef70b62aaf1dc"
NotOnOrAfter="2020-03-13T16:41:42.552Z"
Recipient="https://test-sp.federation.renater.fr/Shibboleth.sso/SAML2/POST" />
</SubjectConfirmation>
</Subject>
yes all users coming from same AD. In my test/repro this is the very same user.
in example given, the expected output is same value of element NameID (sub element of subject) for same user
but from first node we have X89... and second node we have 3Bl...
as "semanticaly" a urn:oasis:names:tc:SAML:2.0:nameid-format:persistent should be a persistent identifier, so does not change from login to login, this is a problem.
yes i have other claims issuance rules but this one is the only wich generate a nameidentifier
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"
thank for your suggestion of simplifying the test case
will try with only thoses rules and then reply here
But is that other rules modifying or adding another http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname?
Hello, do you have any update? Let us know!
It reminds me of this: https://social.technet.microsoft.com/Forums/en-US/bf84042b-28c1-4c9e-b859-5d2945c6b9fb/adfs-converts-upper-case-upn-to-small?forum=ADFS
Base on the observation at the time, it seemed that the UPN coming from the acceptance rules was always in lower case. So maybe replace the windowsaccountname by the UPN from the acceptance rules (what I mean by from the acceptance rules is that you don't extract the UPN from an LDAP query but just create a pass-through rule at the relying party trust level).
Else, worst case you can still create convert the windowsaccountname in lowercase (or upper case). You can do that with a custom attribute store: https://learn.microsoft.com/en-us/previous-versions/adfs-2.0/hh599320(v=msdn.10)?redirectedfrom=MSDN or use the fancy regexp from here: https://social.technet.microsoft.com/Forums/en-US/109a226d-b9c5-47b4-98ab-2d9e6446b1e4/adfs-claim-to-convert-user-id-to-uppercase?forum=ADFS.
Thank you Pierre,
Case sensitivity is a pain sometimes...
Thank you for the links.
Have a good day
Hello, sorry for the delay to follow up but I was a bit busy.... you were on the right track ! Simplified the rules and tested against Claims X-Ray....
And it shows that the problem is NOT in store _OpaqueIdStore, whose arguments are case-sensitive (sound logical) but, as strangely seems, that the CASE of http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname is not consistent beetween node A and node B of my farm
very strange behaviour...
my simplifed rule
c1:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
=> issue(store = "_OpaqueIdStore", types = ("http://i-idd.silab.cea.fr/internal/ppidwan"), query = "{0};{1};{2}", param = "ppid", param = c1.Value, param = c1.OriginalIssuer);