question

Alex-5595 avatar image
0 Votes"
Alex-5595 asked piaudonn edited

Claim rule to issue recursive group membership of a user

Hello, we have a request to issue the group memberships of a set of groups if the user is member of them.

The only what i found so far is this tutorial, it works but we have a performance problem.

https://www.yasab.net/adfs-claim-rule-to-issue-recursive-group-membership-of-a-user/

Among other things, he used the filter LDAP_MATCHING_RULE_IN_CHAIN on the Rule 2. It takes more then 8 seconds to finish :S

Does anyone know if there is another solution or a tip to fix this.

p.s. To be honest im not very familiar with the ADFS custom claim rule language.

adfs
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Alex-5595 avatar image
0 Votes"
Alex-5595 answered piaudonn edited

After a tip in another way, I was able to improve the query.

LDAP_MATCHING_RULE_IN_CHAIN can cause a heavy load and stress performance if the query itself is not optimized and not using indexes properly.

The example in the blog is an example of a such an expensive ldap query.
Cause it will walk over ALL AD objects whether it’s a group or a user or a contact or whetever else.
It sure will ensure the CPU of the DCs are running hot.

The Tip to put a few more complexity on the rule just the groups you need was a good example

Eg:

(&(objectclass=group)(&(|(cn=xyz_)(cn=aws-)(cn=abc_*))(member:1.2.840.113556.1.4.1941:={1})))

This would be a query looking only for the groups where the CN starts with xyz_ or aws- or abc_!

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

That way you no longer use the DNT index, but you still have to use the CN index (with the OR operator), so you would need to validate in your environment if that still scales.

At the end of the day, the list of groups the user is a member of is already in the claim pipeline from the claim acceptance rule output on the claim provider trust. In a ObjectSID format but it is there. So I don't see the additional value here to use an LDAP query to find something we already have unless there is another requirement that is not listed here (like the list of group is changing all the time - which raised other issues actually).

0 Votes 0 ·
piaudonn avatar image
0 Votes"
piaudonn answered piaudonn edited

LDAP_MATCHING_RULE_IN_CHAIN doesn't scale in large environment. As a matter of fact, not only it takes a long time, but it also makes the domain controllers' CPU run pretty hot.

The list of groups the user is a member of is already listed in the GroupSid claim. It is in the ObjectSID format. You can pass it through as-is or transform it into a displayname (but using SID is usually better for security reason).

· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

The Problem is some users are into up to 500 Groups, the requesting app product owner commented, the token size getting to big then.

0 Votes 0 ·

Well then it is not a good idea to send all groups :) You can assign roles to specific groups and send only those roles.
Or simply filter the groups you want to send.

What do you need to send? Only specific groups? Is that for access control? because we can also issue a token only if the user is a member of a specific group instead of sending the group info and let the app decide.

0 Votes 0 ·

Hi piaudonn its a set of groups what are related to the application and needed there. not for access control.


0 Votes 0 ·
Show more comments