I had a couple of "Acceptance transform rules" defined for AD which suddenly stopped working.. It looks like the relyingpartytrustid-claim (http://schemas.microsoft.com/2012/01/requestcontext/claims/relyingpartytrustid) don't exist in the "acceptance transform rules"-step in the ADFS (2012 R2) pipeline anymore. The strange thing is that it was there before, but now I can't see it until the next step in the ADFS claimstransformation pipeline (issuance transform rules for relying parties).
Does anyone know exactly when the relyingpartytrustid-claim is issued by ADFS? I can't find any information on how/when these claims are issued.
Claim-rule that worked before and then suddenly stopped working:
c:[Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/relyingpartytrustid"]
=> add(store = "CustomAttributeStore", types = ("http://domain.no/context/FmApplicationId", "http://domain.no/context/AdfsApplicationId", "http://domain.no/context/CustomProperty"), query = "GetApplicationAttributes#FmApplicationId,AdfsApplicationId,CustomProperty", param = c.Value);
The following rule results in "temp" beeing issued if the rule is placed under "acceptance transform rules", but not when it is placed under "issuance transform rules"
NOT EXISTS([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/relyingpartytrustid"])
=> issue(Type = "http://domain.no/temp", Value = "dontexist");
The claim http://schemas.microsoft.com/2012/01/requestcontext/claims/relyingpartytrustid is part of the Request Context provided by Web Application Proxy to AD FS during authentication of external users.
Related
I'm building a .net core 3 website where I'm trying to add a user to an Active Directory security group. The below code works fine in my development environment but once it's deployed to IIS I receive:
System.DirectoryServices.DirectoryServicesCOMException (0x8007202B):
A referral was returned from the server.
The error occurs at "group.Save();"
using (PrincipalContext pc = new PrincipalContext(ContextType.Domain, "ad.xxx.com:389",
"DC=ad,DC=xxx,DC=com", svcAccountUsername, svcAccountPw))
{
GroupPrincipal group = GroupPrincipal.FindByIdentity(pc, IdentityType.SamAccountName, groupName);
group.Members.Add(pc, IdentityType.SamAccountName, username);
group.Save();
}
Again, this works locally in my development environment but not once deployed to IIS. Any suggestions on how to fix?
I would suggest looking up the account that you are trying to add to the AD. Other things i can suggest is using the debugger to confirm the account / group exists in the domain that you are running this under.
using (PrincipalContext pc = new PrincipalContext(ContextType.Domain, "domain" ...))
{
GroupPrincipal group = GroupPrincipal.FindByIdentity(pc, IdentityType.SamAccountName, groupName);
// Do some validation / logging to make sure there is a group returned.
var principal = Principal.FindByIdentity(pc, IdentityType.SamAccountName, username);
// Do some validation here to make sure principal is not null
group.Members.Add(principal);
group.Save();
}
Make sure the server running this script has access to the domain you are updating.
A referral means that you aren't talking to the right server, but the server knows who you should be talking to. If you look into the exception object more, you might even find which server it wants to send you to.
This can happen if the group is not on the same domain that you passed to the PrincipalContext.
We use Apache Shiro to authenticate and authorize users using our active directory.
Authenticating the user and mapping groups works just fine using the following config:
adRealm = org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm
adRealm.searchBase = "OU=MYORGANIZATION,DC=MYDOMAIN,DC=COM"
adRealm.groupRolesMap = "CN=SOMEREADGROUP":"read","CN=SOMEMODIFYGROUP":"modify","CN=SOMEADMINGROUP":"admin"
adRealm.url = ldaps://my.ad.url:636
adRealm.systemUsername= systemuser
adRealm.systemPassword= secret
adRealm.principalSuffix= #myorganization.mydomain.com
I can authenticate in Shiro using the following lines:
String user = "someuser";
String password = "somepassword";
Subject currentUser = SecurityUtils.getSubject ();
if (!currentUser.isAuthenticated ()){
UsernamePasswordToken token = new UsernamePasswordToken (user,
password);
token.setRememberMe (true);
currentUser.login (token);
}
We now want to get more user information from our ActiveDirectory. How can I do that using Apache Shiro? I was not able to find anything about it in the documentation.
In the source code of ActiveDirectoryRealm I found this line:
NamingEnumeration answer = ldapContext.search(searchBase, searchFilter, searchArguments, searchCtls);
So the first part of the answer is clear: use the ldapContext to search something in it. But how can I retrieve the LdapContext?
It depends on what you are trying to do. Are you just trying to reuse the context to run a query for something other then authentication or authorization? Or are you trying to change the behavior of the query in the AD realm?
If the latter, you would need to extend the ActiveDirectoryRealm and override the queryForAuthorizationInfo() method.
Are you implementing something that is custom for your environment?
(updated)
A couple things:
The realm has access to the LdapContext in the two touch points: queryForAuthenticationInfo() and queryForAuthorizationInfo(), so if you extend the AD realm or AbstractLdapRealm you should already have it. You could change the query to return other info and add the extra info to your Principal. Then you have access to that info directly from your Subject object.
Your realms, are not required to be singletons.
If you want to do some other sort of user management (email all users with a given role, create a user, etc). Then you could create a LdapContextFactory in your shiro.ini, and use the same instance for multiple objects.
[main]
...
ldapContextFactory = org.apache.shiro.realm.ldap.JndiLdapContextFactory
ldapContextFactory.systemUsername = foobar
ldapContextFactory.systemPassword = barfoo
adRealm = org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm
adRealm.ldapContextFactory = $ldapContextFactory
...
myObject = com.biz.myco.MyObject
myObject.ldapContextFactory = $ldapContextFactory
This would work well if myObject is interacting with other Shiro components, (responding to events, etc), but less so if you need access to it from another framework. You could work around this by some sort of static initialization that builds creates the ldapContextFactory, but in my opinion, this is where the sweet spot of using the shiro.ini ends, and where using Guice or Spring shines.
I'm trying to setup PingFederate as a claim provider in ADFS with the intention that I federate from a PF realm through ADFS to an ADFS RP. I want ADFS to add attributes from Active Directory to the assertion before sending it to the RP. PingFederate is only sending the user's Windows login ID. On the Claim Provider side I'm passing through Name ID. Just for testing, I have tried adding an attribute like this:
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"]
=> add(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", Value = "myemail#test.com");
I added this on the CP side both above and then below my pass through rule and nothing was added to my assertion. I also tried this on the RP side with no luck.
I guess my question is whether this is possible in ADFS. Ultimately I would like PingFed to send the user's login ID as the name ID, have ADFS lookup the user in Active Directory and add the email address as a claim then send the assertion to the RP. As for adding the attribute from Active Directory, I found this post technet.microsoft.com/en-us/library/ff678048.aspx. Problem is I can't even add a manual value.
For a manual value, use something like:
=> issue(type = "http://contoso.com/partner", value = "Adatum");
For the query, use something like:
Use the normal LDAP rule to produce a loginID claim and then
c:[Type == "http://company.com/claims/loginID", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"), query = ";email;{0}", param = c.Value);
I figured this out. My first use case is to ensure that the AD account exists.
Essentially what is required are 3 claim rules on the CP side:
1 - perform the lookup based on the name ID. I created a custom rule to
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"]
=> add(store = "Active Directory", types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid"), query = "sAMAccountName={0};objectSID;{1}", param = c.Value, param = "MYDOMAI\" + c.Value);
The parameters required in for the query are:
LDAP query to locate the user
Attribute(s) to extract
User's login ID in the format DOMAIN\userid
2 - a claim rule to simply pass the name ID through
3 - a claim rule to simply pass the SID through
On the RP side, I have 2 claim rules to pass the name ID and the SID through. Then I have an Issuance Authorization Rule to ensure that the SID is present as a claim. This is a custom rules with the following:
EXISTS([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid"])
=> issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "PermitUsersWithClaim");
Seems convoluted but this is what I have. My second use case is to ensure the account is enabled, but I'm not sure if this is possible because the disabled attribute is stored as a bit in the userAccountControl attribute.
In our system, we have users registered from different domain (lets say their mail address are #gmail.com,#outlook.com,#yahoo.com). I have a requirement to restrict the user's access to RP based on the domain he comes from. For this setup, I tried to configure Issuance Authorization rule in ADFS (to allow users only from a particular domain) with the below rule
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", Value =~ "gmail.com$"]
=> issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "true");
I was passing email address claim through issuance authorization rule tab so I didn't initialized the input in the authorization ruleset as mentioned in the technet link (under Sending the execution output to the claims pipeline Section)
After the entire process has run for a give rule set (steps 1, 2, and 3), the newly issued outgoing claims (content of the output claim set) will be used as input to the next rule set in the claims pipeline. This allows for claims to flow from the output of one rule set to the input for another rule set, as shown in the following illustration.
But the authorization doesn't seem to work.
The claims configured in the first tab ( Issuance transform rules ) are not passed to the second tab (Issuance Authorization rules).
So we need to repeat the process again in the second tab (map emailaddresses -> emailaddress) as shown below.
Now the custom rule works perfectly.
If you need to add few more email domains to the acceptance criteria just use the "|" symbol:
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", Value =~ "yahoo.com$|gmail.com$"]
=> issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "true");
I am moving from the basic authentication method using username
and password to the OAuth based authentication.
I was using an old version of the pear package Services_Twitter, that
did not support OAuth.
The latest version of this package supports OAuth authentications, it
has a few dependencies (HTTP_Request2, HTTP_OAuth).
It was very simple to install them and upgrade the package. I did all
this my local machine and had no trouble getting the authentication up
and running.
I committed this code to the test site, but every time the code
request a "request token" I get the following error message "Unable to
connect to ssl://api.twitter.com:443. Error #0"
I have spend 6 hours making sure that all the pear packages where up
to date, checking the customer token and token secret, making sure
port 443 is not closed... in addition to various other test.
I have exhausted my resources and I come to you in hope to find some
answers.
Thank you
PD: One of the things I do not understand is why does the message says
that the url is ssl://api.twitter.com:443 rather than
https://api.twitter.com/request_token? the former one is the one I am
using to get the request token.
"Unable to connect to ssl://_______:443. Error #0" generally means that there is a ssl_verify_peer or certificate match issue - and the twitter API doesn't require you to provide a certificate!
HTTP_Request2 sets the ssl_verify_peer option to true by default - which is fine if you are specifying a certificate for establishing a connection so perhaps you need to check that setting is switched off?
This is checked for you in Services_Twitter if the use_ssl config setting is enabled so at a guess you may need to check that is set?
e.g.:
$twitter = Services_Twitter_factory('statuses/update', true, array('use_ssl' => true));
Here is the implementation of the code for kguest answer.
$httpRequest = new HTTP_Request2( null,
HTTP_Request2::METHOD_GET ,
array ('ssl_verify_peer' => false,
'ssl_verify_host' => false)
);
$httpRequest->setHeader('Accept-Encoding', '.*');
$request = new HTTP_OAuth_Consumer_Request;
$request->accept($httpRequest);
$oauth = new HTTP_OAuth_Consumer('twitterConsumerKey','twitterConsumerSecret');
$oauth->accept($request);
$oauth->getRequestToken('https://api.twitter.com/oauth/request_token',
"path/to/call/back/file.php");
$_SESSION['token'] = $oauth->getToken();
$_SESSION['token_secret'] = $oauth->getTokenSecret();
$authorize_link_twitter = $oauth->getAuthorizeUrl('https://api.twitter.com/oauth/authorize');
and something very similar was done to get the access token once you get back from twitter.
$httpRequest = new HTTP_Request2( null,
HTTP_Request2::METHOD_GET ,
array ('ssl_verify_peer' => false,
'ssl_verify_host' => false)
);
$httpRequest->setHeader('Accept-Encoding', '.*');
$request = new HTTP_OAuth_Consumer_Request;
$request->accept($httpRequest);
$oauth = new HTTP_OAuth_Consumer('twitterConsumerKey',
'twitterConsumerSecret',
$_SESSION['token'],
$_SESSION['token_secret']);
$oauth->accept($request);
$oauth->getAccessToken('https://api.twitter.com/oauth/access_token',
$_GET['oauth_verifier']);
// you can get the final tokens like this.
$oauth->getToken());
$oauth->getTokenSecret();
All the credit goes to kguest for the idea that lead to the solution of this problem. this is just the code.
Checkout this bug report http://pear.php.net/bugs/bug.php?id=18061 I have added resources to solve the issues of SSL and the Services_Twitter package.
But basically you should follow the instructions at http://curl.haxx.se/docs/sslcerts.html
Disabling ssl_verify_peer and ssl_verify_host makes you vulnerable to the security attacks that SSL tries to solve ( Verifying peer in SSL using python ). So don't ;)