Monday, November 17, 2014

ADFS : Using an AD primary key

There's a common use case where you are using some external system e.g. Facebook to authenticate and ADFS is in the pipeline as a R-STS.

Facebook only returns a GUID which doesn't mean a lot to AD so you have a registration flow where you ask the user for their details e.g. name, email address .. and then map the GUID to this.

So the next time the user logs in you have the GUID but need to use this as a "primary key" to get the rest of the details from AD.

Assume you have placed the Facebook GUID in a claim type called:

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/guid

and it's stored in AD in extensionAttribute1.

So you have a normal LDAP claims rule that maps:

extensionAttribute1 -->  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/guid

Then you need a custom ADFS claim rule to do the extraction based on the mapping:

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/guid"]
 => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone"), query = "(&(extensionAttribute1={0})(objectClass=user));givenName,sn,mail,mobile;domain\user", param = c.Value);

So the rule searches AD for the user whose extensionAttribute1 value matches "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/guid" and then returns:

"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone"

as four separate claims.

Enjoy!

No comments: