question

RichardLong-9683 avatar image
0 Votes"
RichardLong-9683 asked RichardLong-9683 commented

ADFS Custom Rule with Two Attributes

We are configuring ADFS (on Server 2012 R2) to support multiple AWS accounts. We plan to leverage an LDAP attribute to determine the user's role, and a second attribute to specify the AWS account number the user should be authenticated to.

We have this working with the user's role populated in an LDAP attribute, but the AWS account number is hardcoded in the claim right now, so we're looking for some guidance getting that put into a claim correctly.

Here is what we are trying:

Get Attributes Claim Rule (Rule template: Send claims using a custom rule)
c1:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> add(store = "Active Directory", types = ("http://temp/variable"), query = ";ad-attribute1;{0}", param = c.Value1);
c2:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> add(store = "Active Directory", types = ("http://temp/variable"), query = ";ad-attribute2;{0}", param = c.Value2);

AWS Role (Rule template: Send claims using a custom rule)
c:[Type == "http://temp/variable"]
=> issue(Type = "https://aws.amazon.com/SAML/Attributes/Role", Value = "arn:aws:iam::" + c.Value2 ":saml-provider/our-adfs,arn:aws:iam::" + c.Value2 ":role/" + c.Value1);

The value we are trying to achieve will be structured like this:
arn:aws:iam::111111111111:saml-provider/our-adfs,arn:aws:iam::111111111111:role/rolename

adfs
· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Sorry, it is not clear to me at all...

What is the attribute storing the user's rolein AD? And do the user have the same role on all AWS accounts? If not, how do you know what role for what AWS account?
What is the attribute sotring the AWS account in AD?

You want to output to be a concatenation of all roles and accounts? or you want a multi valued claim (that would be easier)?

0 Votes 0 ·

Thanks for your response. I'll answer your questions in order.

We plan to use the "altSecurityIdentity" attribute to include an AWS Role Name
The users will be dedicated to one AWS account, so no they won't have the same role in all AWS accounts
The "division" attribute will hold the AWS account number

We'd like to pull the values out of those attributes to plug them into a claim that produces a value in the format of an AWS role. We're trying to understand the best approach to accomplish this.

0 Votes 0 ·

Well don't use the altSecurityIdentity attribute in AD. It has a specific AD purpose, you'll mess things up by using this one.
Pick something in the extended attribute list or cloud attribute list, or whatever that is not already used by AD for its core mechanism (altSecurityIdentity is used for certificate authentication in AD).

You could just query the 1st attribute, then the 2nd and concatenate the two. Do you want a woriking example for this?

0 Votes 0 ·
Show more comments

1 Answer

piaudonn avatar image
0 Votes"
piaudonn answered RichardLong-9683 commented

Something like this should do the trick:

 c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
 => add(store = "Active Directory", types = ("claims:temp/attribute1","claims:temp/attribute2"), query = ";ad-attribute1,ad-attribute2;{0}", param = c.Value);
    
    
 c1:[Type == "claims:temp/attribute1"] && c2:[Type == "claims:temp/attribute2"]
 => issue(Type = "https://aws.amazon.com/SAML/Attributes/Role", Value = "arn:aws:iam::" + c2.Value ":saml-provider/our-adfs,arn:aws:iam::" + c2.Value ":role/" + c1.Value);

You would need to replace the name of the attribute you are really using in the first rule ad-attribute1 and ad-attribute2 and it is assuming that the final format is what you really need.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for your help! I appreciate it

0 Votes 0 ·

I had to make a minor change, but this is what worked. Thanks again for your help

Get Attributes Claim:
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("claims:temp/msDS-CloudExtensionAttribute1","claims:temp/msDS-CloudExtensionAttribute2"), query = ";msDS-CloudExtensionAttribute1,msDS-CloudExtensionAttribute2;{0}", param = c.Value);

AWS Role ADFS Claim:
c1:[Type == "claims:temp/msDS-CloudExtensionAttribute1"] && c2:[Type == "claims:temp/msDS-CloudExtensionAttribute2"]
=> issue(Type = "https://aws.amazon.com/SAML/Attributes/Role", Value = "arn:aws:iam::" + c2.Value + ":saml-provider/our-adfs,arn:aws:iam::" + c2.Value + ":role/" + c1.Value);

0 Votes 0 ·