Date post: | 11-May-2015 |
Category: |
Technology |
Upload: | twobo-technologies |
View: | 408 times |
Download: | 4 times |
Twobo LDAP Attribute Store for ADFS
Using ADFS with LDAP servers that don’t support Windows authentication
Copyright © 2013 Twobo Technologies AB. All rights reserved
Agenda
Limitations and restrictions of ADFS 2
Possible workarounds
Alternatives
Open source
From Twobo
Installation and use
Copyright © 2013 Twobo Technologies AB. All rights reserved
Restrictions in ADFS 2
Out-of-the-box LDAP attribute store requires Windows authentication
“When you work with other Lightweight Directory Access Protocol
(LDAP)-based attribute stores [besides AD], you must connect to an
LDAP-capable server that supports Windows Integrated
Authentication”
-- TechNet (http://bit.ly/1bWt3rn)
Copyright © 2013 Twobo Technologies AB. All rights reserved
Workarounds
1. Enable Windows Authentication on the LDAP server
2. Connect ADFS to some other IP-STS and use ADFS as an FP-
STS only
3. Use an alternative LDAP attribute store that supports other
authentication schemes
Copyright © 2013 Twobo Technologies AB. All rights reserved
Open Source LDAP Attribute Stores
A few open source options available
Limited features (purpose built)
Limited testing
Unproven
Undocumented
Unsupported
None with communities
Copyright © 2013 Twobo Technologies AB. All rights reserved
Twobo LDAP Attribute Store
Supports simple and anonymous bind
Supports multi-value attributes
Supports decoding binary data fields based on various encodings
Supports LDAPS
Works with ADFS 2.0 and 2.1
Better documentation
Rule-specific scope and search base
Commercially supported by a security company
Copyright © 2013 Twobo Technologies AB. All rights reserved
Configuration
Normal attribute store configuration
Use ADFS cmdlets
Use ADFS Management Console
Copyright © 2013 Twobo Technologies AB. All rights reserved
Configuration Options
Setting Description
servername* Name or IP of LDAP server
defaultRoot* Default search location
port Port of LDAP server
defaultScope Default search scope
secured Use of LDAP or LDAPS
password Password used when binding
username Username used when binding
encoding Code page to use when
decoding binary dataCopyright © 2013 Twobo Technologies AB. All rights reserved
Using the Attribute Store
Use with custom rules
wherever ADFS allows
(issuance, authorization,
etc.)
Copyright © 2013 Twobo Technologies AB. All rights reserved
Typical Issuance Rule
Copyright © 2013 Twobo Technologies AB. All rights reserved
Store
name
Input
claimc:[Type == "http://schemas.xmlsoap.org/.../upn"] =>
issue(store = "2BOLDAP",
types = ("http://schemas.xmlsoap.org/.../emailaddress",
"http://schemas.xmlsoap.org/.../privatepersonalidentifier"),
query = "uid={0}\mail,uid",
param = c.Value);
Output
claims
Attributes
in LDAP
LDAP filterSubstitution
value
When User IDs Don’t Match
1. Add a new input
claim from AD
Copyright © 2013 Twobo Technologies AB. All rights reserved
When User IDs Don’t Match
2. Derive it using an
“add” rule followed by
an “issue”
Copyright © 2013 Twobo Technologies AB. All rights reserved
Example of an “Add” Rule
c:[Type == "http://schemas.microsoft.../windowsaccountname"] =>
add(Type = "_uname",
Issuer = c.Issuer,
OriginalIssuer = c.OriginalIssuer,
Value = regexreplace(
c.Value, "(?<domain>[^\\]+)\\(?<user>.+)", "${user}"),
ValueType = c.ValueType);
Copyright © 2013 Twobo Technologies AB. All rights reserved
Example of an “Add” Rule
c:[Type == "_uname"] =>
issue(store = "2BOLDAP",
types = ("http://schemas.xmlsoap.org/.../emailaddress",
"http://schemas.xmlsoap.org/.../privatepersonalidentifier"),
query = "uid={0}\mail,uid",
param = c.Value);
Copyright © 2013 Twobo Technologies AB. All rights reserved
Example of Non-default Base and Scope
c:[Type == "_uname"] =>
issue(store = "2BOLDAP",
types = ("http://schemas.xmlsoap.org/.../emailaddress",
"http://schemas.xmlsoap.org/.../privatepersonalidentifier"),
query =
"uid={0}\mail,uid\ou=People,dc=example,dc=com\Subtree",
param = c.Value);
Copyright © 2013 Twobo Technologies AB. All rights reserved
Rule-specific
search scope
Rule-specific
search base
Example of Retrieving a Disguised Name
c:[Type == "_uname"] =>
issue(store = "2BOLDAP",
types = ("http://schemas.xmlsoap.org/.../emailaddress",
"http://schemas.xmlsoap.org/.../privatepersonalidentifier"),
query = "uid={0}\distinguishedName",
param = c.Value);
Copyright © 2013 Twobo Technologies AB. All rights reserved
Distinguished name can
be treated as an
attribute though it is not;
“dn” works as well.
Tested Systems
LDAP Servers
OpenLDAP using anonymous bind and simple bind with and without SSL (on
Linux)
AD LDS using simple bind (on W2K8 R2)
Siemens DirX Directory using simple bind with and without SSL (on *NIX)
ApacheDS using simple bind (on Linux)
ADFS
2.0
2.1
Copyright © 2013 Twobo Technologies AB. All rights reserved
Questions & Thanks
@2botech
www.2botech.comCopyright © 2013 Twobo Technologies AB. All rights reserved