Custom Claims Rule to get a specific attribute from a Local Claims Provider Trust

Cedric D 131 Reputation points
2021-03-18T17:03:37.513+00:00

Hello,

I'm on ADFS 4.0 (Windows Server 2016).

I have configured a third-party LDAP directory as Local Claims Provider Trust and all is OK.

I have now the following use case: Some users use an external portal to access to some ADFS federated applications with an alternate login ID, and they want a federation between the external IdP and my ADFS.

  • I have connected the external IdP as Claims Provider Trust in my ADFS, but I can't do a mapping between the external ID and the users who are in my LDAP directory.
  • I tried to configure a custom claim rule in my "External IdP" Claims Provider Trust to search the internal ID based on the external ID (there is an attribute which store the external ID in the user entry).
    But because my LDAP Directory is configured as a Local Claims Directory, I can't do my search, the LDAP Directory is not seen as an attribute store.
  • I tried to declare my LDAP Directory as an attribute store, but I have an error with the connection string (bad credentials). Maybe because it is not a Microsoft Directory.

Is there a way to request a local Claims provider trust in a custom rule with ADFS?
Or maybe I must create a custom Attribute Store connected to my LDAP Directory and losing the benefit of using a Local Claims Provider Trust?

I followed this tutorial to configure my LDAP Directory with ADFS: https://learn.microsoft.com/fr-fr/windows-server/identity/ad-fs/operations/configure-ad-fs-to-authenticate-users-stored-in-ldap-directories

Thanks by advance for your help.

Regards.

Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,198 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Cedric D 131 Reputation points
    2021-03-24T09:35:32.03+00:00

    Hello Pierre,

    First off all, thanks a lot for your reply, @Pierre Audonnet - MSFT .

    To give you more details, some users are connected to an external portal and wants to access to an application federated by ADFS without sign-in again:

    1. The user is connected to his external portal with is external credentials (external ID/PWD)
    2. He wants to access to an application federated by my ADFS
    3. I declared the external IdP as CPT in ADFS so ADFS received a SAML Assertion with the external ID
    4. ADFS must find the corresponding LDAP ID and send it as output claim

    The CPT provides only the external ID because the mapping is stored in my LDAP directory.
    It's a legacy made for security considerations and because an internal ID can be map with several external portals.
    So there is a multivalued attribute wich store this mapping in LDAP user entries.

    I will follow your advice and check if my LDAP supports GSSAPI.
    I don't think I can skip the attribute store because there is no corellation between external and internal ID.

    That's why I tried to configure a delegation between the external IdP and my ADFS followed by a mapping in ADFS, but maybe there is a better scenario.

    Regards.

    Cédric

    0 comments