There's a common use case where you are using some external system e.g. Facebook to authenticate and ADFS is in the pipeline as a R-STS.
Facebook only returns a GUID which doesn't mean a lot to AD so you have a registration flow where you ask the user for their details e.g. name, email address .. and then map the GUID to this.
So the next time the user logs in you have the GUID but need to use this as a "primary key" to get the rest of the details from AD.
Assume you have placed the Facebook GUID in a claim type called:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/guid
and it's stored in AD in extensionAttribute1.
So you have a normal LDAP claims rule that maps:
extensionAttribute1 --> http://schemas.xmlsoap.org/ws/2005/05/identity/claims/guid
Then you need a custom ADFS claim rule to do the extraction based on the mapping:
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/guid"]
=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone"), query = "(&(extensionAttribute1={0})(objectClass=user));givenName,sn,mail,mobile;domain\user", param = c.Value);
So the rule searches AD for the user whose extensionAttribute1 value matches "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/guid" and then returns:
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone"
as four separate claims.
Enjoy!
Ideas and thoughts about Microsoft Identity, C# development, cabbages and kings and random flotsam on the incoming tide
Monday, November 17, 2014
AD : Information about the domain could not be retrieved (1355)
Setting up a new system with an AD in a DC in another domain that is "sandpitted" and got this error.
"Information about the domain could not be retrieved (1355)".
Can ping the DC but the IP / Name is in my host file - it's not on the DNS.
Lots of stuff on the Internet - mainly red herrings.
The problem was the DNS "hole" - adding this DC as my alternate DNS on my Windows 7 box fixed the problem.
Update
Turns out this is not sufficient. Still get this &^%&^% problem.
Start / Control Panel / Network and Internet / Network and Sharing Centre
On LHS at top / Change Adapter Settings
Right click / Disable
You will lose your network connection!!!
Right click / Enable
All will be well until you reset your PC and then you will have the joy of doing it all again.
Use at own risk but works for me.
Enjoy!
"Information about the domain could not be retrieved (1355)".
Can ping the DC but the IP / Name is in my host file - it's not on the DNS.
Lots of stuff on the Internet - mainly red herrings.
The problem was the DNS "hole" - adding this DC as my alternate DNS on my Windows 7 box fixed the problem.
Update
Turns out this is not sufficient. Still get this &^%&^% problem.
Start / Control Panel / Network and Internet / Network and Sharing Centre
On LHS at top / Change Adapter Settings
Right click / Disable
You will lose your network connection!!!
Right click / Enable
All will be well until you reset your PC and then you will have the joy of doing it all again.
Use at own risk but works for me.
Enjoy!
Wednesday, November 12, 2014
stackoverflow: Writing the perfect question
I've blogged on this before but it bears repeating.
cf Jon Skeet: Writing the perfect question.
There was a question on SO that's a perfect example.
"How do I achieve SSO with site a, site b, WIF and SAML and STS"?
Is site a /b .NET / Java / ...?
What flavour STS?
WIF and SAML are mutually incompatible, Explain.
Are site a / b in different domains? With different identity repositories? If so, what repositories are these? AD or ...?
And so on.
In my experience, the quality of the answer correlates with the quality of the question.
Yeah - I get that people are leaving out important details because they don't really understand the environment.
If so, Google other questions. What details do they supply?
If you want to be noticed in the vast list of SO questions, you have to put some effort in.
Make me want to help you by answering!
Enjoy!
cf Jon Skeet: Writing the perfect question.
There was a question on SO that's a perfect example.
"How do I achieve SSO with site a, site b, WIF and SAML and STS"?
Is site a /b .NET / Java / ...?
What flavour STS?
WIF and SAML are mutually incompatible, Explain.
Are site a / b in different domains? With different identity repositories? If so, what repositories are these? AD or ...?
And so on.
In my experience, the quality of the answer correlates with the quality of the question.
Yeah - I get that people are leaving out important details because they don't really understand the environment.
If so, Google other questions. What details do they supply?
If you want to be noticed in the vast list of SO questions, you have to put some effort in.
Make me want to help you by answering!
Enjoy!
IdentityServer: two different WS-Fed endpoints
So I've been using thinktecture's IdentityServer for a project.
First off - it's a damn good product - but then you have two top class MVP's working on it!
I'm using V2.
I'm using it in two modes:
As an IDP against the SQL Server DB
As a R-STS - effectively a broker that just passes on the traffic.
Normally these are the same endpoint e.g. ADFS.
But I was battling until I realised that there are actually TWO WS-Fed endpoints.
My bad - it's obvious when you see the metadata list.
So /issue/wsfed works for the IDP and /issue/hrd works for the R-STS. As the name implies, this brings up the HRD screen.
If you look at the two controllers, the code (as you would expect) is pretty similar and they both share the same WSFederationResult.
Enjoy!
First off - it's a damn good product - but then you have two top class MVP's working on it!
I'm using V2.
I'm using it in two modes:
As an IDP against the SQL Server DB
As a R-STS - effectively a broker that just passes on the traffic.
Normally these are the same endpoint e.g. ADFS.
But I was battling until I realised that there are actually TWO WS-Fed endpoints.
My bad - it's obvious when you see the metadata list.
So /issue/wsfed works for the IDP and /issue/hrd works for the R-STS. As the name implies, this brings up the HRD screen.
If you look at the two controllers, the code (as you would expect) is pretty similar and they both share the same WSFederationResult.
Enjoy!
Thursday, November 06, 2014
Windows Server: Where's the drive mapping?
Needed to map a drive on Server 2012 R2 to load some media so:
Start - right click "This PC" - check "Map network drive"
Than map to G: e.g.
Into command prompt with run as administrator set - type "G:" - no such drive - WTF? - I can see the mapping in File Explorer!
Turns out you have to do an extra step i.e.
net use g: \\"mapping path" password /user:domain\user /p:no
where:
g: = drive to map
mapping path = path to media
password = your password
/user:domain\user = your domain and user
/p:no = don't persist mapping across logins
Job done.
I suspect this will work on Windows 8 as well.
Enjoy!
Start - right click "This PC" - check "Map network drive"
Than map to G: e.g.
Into command prompt with run as administrator set - type "G:" - no such drive - WTF? - I can see the mapping in File Explorer!
Turns out you have to do an extra step i.e.
net use g: \\"mapping path" password /user:domain\user /p:no
where:
g: = drive to map
mapping path = path to media
password = your password
/user:domain\user = your domain and user
/p:no = don't persist mapping across logins
Job done.
I suspect this will work on Windows 8 as well.
Enjoy!
Subscribe to:
Posts (Atom)