question

CedricD-1021 avatar image
1 Vote"
CedricD-1021 asked CedricD-1021 answered

Custom Claims Rule to get a specific attribute from a Local Claims Provider Trust

Hello,

I'm on ADFS 4.0 (Windows Server 2016).

I have configured a third-party LDAP directory as Local Claims Provider Trust and all is OK.

I have now the following use case: Some users use an external portal to access to some ADFS federated applications with an alternate login ID, and they want a federation between the external IdP and my ADFS.

  • I have connected the external IdP as Claims Provider Trust in my ADFS, but I can't do a mapping between the external ID and the users who are in my LDAP directory.

  • I tried to configure a custom claim rule in my "External IdP" Claims Provider Trust to search the internal ID based on the external ID (there is an attribute which store the external ID in the user entry).
    But because my LDAP Directory is configured as a Local Claims Directory, I can't do my search, the LDAP Directory is not seen as an attribute store.

  • I tried to declare my LDAP Directory as an attribute store, but I have an error with the connection string (bad credentials). Maybe because it is not a Microsoft Directory.


Is there a way to request a local Claims provider trust in a custom rule with ADFS?
Or maybe I must create a custom Attribute Store connected to my LDAP Directory and losing the benefit of using a Local Claims Provider Trust?

I followed this tutorial to configure my LDAP Directory with ADFS: https://docs.microsoft.com/fr-fr/windows-server/identity/ad-fs/operations/configure-ad-fs-to-authenticate-users-stored-in-ldap-directories

Thanks by advance for your help.

Regards.

adfs
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Bonjour Cédric -

In your scenario, you can't leverage your LDAP CPT for users coming from this other 3rd party CPT. Why would you need to map a user to your LDAP CPT? That's not what a CPT is for. What's important is that the RPT has the necessary information. And the job of the CPT, here the job of the 3rd party CPT, is to provide all the necessary information to assert who the user is.
That said, it seems what your really need is to look up some values to send to the RPT. In that case you would need to add an attribute store. You can make it work as long as the LDAP directory supports the GSSAPI with Kerberos or NTLM. You would also need to grant access to the ADFS service account to make this possible.
If you can deduce the value you would be looking up from a claim set in teh 3rd party CPT, then you could skip the attribute store and use a claim transformation rule instead. But we would need to know more about the specifics then.

P.

0 Votes 0 ·

1 Answer

CedricD-1021 avatar image
0 Votes"
CedricD-1021 answered

Hello Pierre,

First off all, thanks a lot for your reply, @piaudonn.

To give you more details, some users are connected to an external portal and wants to access to an application federated by ADFS without sign-in again:

  1. The user is connected to his external portal with is external credentials (external ID/PWD)

  2. He wants to access to an application federated by my ADFS

  3. I declared the external IdP as CPT in ADFS so ADFS received a SAML Assertion with the external ID

  4. ADFS must find the corresponding LDAP ID and send it as output claim

The CPT provides only the external ID because the mapping is stored in my LDAP directory.
It's a legacy made for security considerations and because an internal ID can be map with several external portals.
So there is a multivalued attribute wich store this mapping in LDAP user entries.

I will follow your advice and check if my LDAP supports GSSAPI.
I don't think I can skip the attribute store because there is no corellation between external and internal ID.

That's why I tried to configure a delegation between the external IdP and my ADFS followed by a mapping in ADFS, but maybe there is a better scenario.

Regards.

Cédric

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.