Twobo LDAP Attribute Store for ADFS

Twobo LDAP Attribute Store for ADFS

Using ADFS with LDAP servers that don’t support Windows authentication

Copyright © 2013 Twobo Technologies AB. All rights reserved

Agenda

Limitations and restrictions of ADFS 2

Possible workarounds

Alternatives

Open source

From Twobo

Installation and use


Restrictions in ADFS 2

Out-of-the-box LDAP attribute store requires Windows authentication

“When you work with other Lightweight Directory Access Protocol

(LDAP)-based attribute stores [besides AD], you must connect to an

LDAP-capable server that supports Windows Integrated

Authentication”

-- TechNet (http://bit.ly/1bWt3rn)


Workarounds

1. Enable Windows Authentication on the LDAP server

2. Connect ADFS to some other IP-STS and use ADFS as an FP-

STS only

3. Use an alternative LDAP attribute store that supports other

authentication schemes


Open Source LDAP Attribute Stores

A few open source options available

Limited features (purpose built)

Limited testing

Unproven

Undocumented

Unsupported

None with communities


Twobo LDAP Attribute Store

Supports simple and anonymous bind

Supports multi-value attributes

Supports decoding binary data fields based on various encodings

Supports LDAPS

Works with ADFS 2.0 and 2.1

Better documentation

Rule-specific scope and search base

Commercially supported by a security company


Configuration

Normal attribute store configuration

Use ADFS cmdlets

Use ADFS Management Console


Configuration Options

Setting Description

servername* Name or IP of LDAP server

defaultRoot* Default search location

port Port of LDAP server

defaultScope Default search scope

secured Use of LDAP or LDAPS

password Password used when binding

username Username used when binding

encoding Code page to use when

decoding binary dataCopyright © 2013 Twobo Technologies AB. All rights reserved

Using the Attribute Store

Use with custom rules

wherever ADFS allows

(issuance, authorization,

etc.)


Typical Issuance Rule


Store

name

Input

claimc:[Type == "http://schemas.xmlsoap.org/.../upn"] =>

issue(store = "2BOLDAP",

types = ("http://schemas.xmlsoap.org/.../emailaddress",

"http://schemas.xmlsoap.org/.../privatepersonalidentifier"),

query = "uid={0}\mail,uid",

param = c.Value);

Output

claims

Attributes

in LDAP

LDAP filterSubstitution

value

When User IDs Don’t Match

1. Add a new input

claim from AD


When User IDs Don’t Match

2. Derive it using an

“add” rule followed by

an “issue”


Example of an “Add” Rule

c:[Type == "http://schemas.microsoft.../windowsaccountname"] =>

add(Type = "_uname",

Issuer = c.Issuer,

OriginalIssuer = c.OriginalIssuer,

Value = regexreplace(

c.Value, "(?<domain>[^\\]+)\\(?<user>.+)", "${user}"),

ValueType = c.ValueType);


Example of an “Add” Rule

c:[Type == "_uname"] =>




query = "uid={0}\mail,uid",

param = c.Value);


Example of Non-default Base and Scope





query =

"uid={0}\mail,uid\ou=People,dc=example,dc=com\Subtree",

param = c.Value);


Rule-specific

search scope

Rule-specific

search base

Example of Retrieving a Disguised Name





query = "uid={0}\distinguishedName",

param = c.Value);


Distinguished name can

be treated as an

attribute though it is not;

“dn” works as well.

Tested Systems

LDAP Servers

OpenLDAP using anonymous bind and simple bind with and without SSL (on

Linux)

AD LDS using simple bind (on W2K8 R2)

Siemens DirX Directory using simple bind with and without SSL (on *NIX)

ApacheDS using simple bind (on Linux)

ADFS

2.0

2.1


Questions & Thanks

@2botech

www.2botech.comCopyright © 2013 Twobo Technologies AB. All rights reserved

http://www.twitter.com/2botech

http://www.2botech.com/

Date post:	11-May-2015
Category:	Technology
Upload:	twobo-technologies
View:	408 times
Download:	4 times

Twobo LDAP Attribute Store for ADFS

Technology