ADFS 3, Create a Rule to Send Group Membership as a Claim - saml-2.0

I am trying to send a few groups memberships as a claim on ADFS3 to a cloud relying party.
I am using a Microsoft article (Below) to Create a Rule to Send Group Membership as a Claim. the MS article says under Claim rule template, select Send Group Membership as Claim and then after giving a name to the rule and selecting a group from the Active Directory, it does not specify what to choose for "Outgoing Claim type" and what to enter in "Outgoing Claim Value" box.
Does anyone have any suggestions?
https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/create-a-rule-to-send-group-membership-as-a-claim
Thanks,
Majid

The following custom rules worked.
#RuleName = "Add Group Claims"
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname",
Issuer == "AD AUTHORITY"]
=> add(store = "Active Directory", types = ("http://test.com/phase1"), query =
";memberOf;{0}", param = c.Value);
#RuleName = "Edit Group"
c:[Type == "http://test.com/phase1"]
=> add(Type = "http://test.com/phase2", Value = RegExReplace(c.Value, ",[^\n]*", ""));
#RuleName = "Remove CN from Group"
c:[Type == "http://test.com/phase2"]
=> add(Type = "http://schemas.xmlsoap.org/claims/Group", Value = RegExReplace(c.Value,
"^CN=", ""));
#RuleName = "Send Only Groups Containing ADFS"
c:[Type == "http://schemas.xmlsoap.org/claims/Group", Value =~ "(?i)Groups-prefix"]

Assume you wanted to pass AD group "isAdmin".
The first part is selecting that group in AD.
Then decide on a group name (e.g. http://company.com/Admin) and then a group value (e.g. isAdmin).
Then if the user is a member of that group, you will get a claim:
http://company.com/Admin/isAdmin

Related

Azure AD Enterprise App SAML configuration

I am trying to configure a SAML non-gallery Enterprise app and am having a problem with configuring the claims. To summarize the current claims, objectGUID is being sent as the name identifier. They send extensionAttribute6 as OrgID. GivenName, sn and e-mail address are sent without any changes.
AD Connect has been configured to sync objectGUID and extensionAttribute6 to AAD, and those attributes are available in the SSO configuration blade for the Enterprise App.
My questions are:
1) Does a Namespace need to be defined for the objectGUID, or can it just be selected from the source attribute in the claim and name identifier?
2) How to transform the extensionAttribute6 to be OrgID?
The current claim rules in ADFS are:
1)
c:[Type ==
"http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname",
Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("GUID"), query = ";objectGuid;{0}", param = c.Value);
2)
c:[Type == "GUID"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value,
ValueType = c.ValueType,
Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"]
= "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified");
3)
c:[Type ==
"http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname",
Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("givenName", "sn", "OrgID", "mail"), query =
";givenName,sn,extensionAttribute6,mail;{0}", param = c.Value);
You do not have to specify the namespace when you are mapping the User.ObjectID as the NameID claim. Also note that do not select any NameID Format and keep that as Default. Azure AD does support the pairwise Name Identifier. That means if the Service Provider is sending the NameID Format then the app will get that from Azure AD based on the Format specified in the SAML Request.
If you are trying to map the User.ObjectID claim as another claim then you can add the Namespace value as needed but it based on how the app need that back.
About transforming OrgID I Am not sure what you want to send. You can define that as a claim name and then select the ExtensionAttribute 6 as value and if the value exist for the user then you should see that in the SAML Response.
I hope this helps.
Thanks and Regards,
Jeevan Desarda

Airflow Configuring AD/LDAP Admin Users And Regular Users

I have Airflow successfully setup to work with my AD/LDAP when everyone is a superuser and data profiler. But now I want to define an admin group and a regular user group. I have the following settings,
Working Config Where Everyone Is An Admin:
# set a connection without encryption: uri = ldap://<your.ldap.server>:<port>
uri = ldap://123.456.789:123
user_filter = objectClass=*
# in case of Active Directory you would use: user_name_attr = sAMAccountName
user_name_attr = sAMAccountName
# group_member_attr should be set accordingly with *_filter
# eg :
# group_member_attr = groupMembership
# superuser_filter = groupMembership=CN=airflow-super-users...
group_member_attr = member
group_name_attr = CN
group_filter = objectclass=group
bind_user = CN=blah,OU=foo,DC=us,DC=bar,DC=com
bind_password = yahoo
basedn = DC=us,DC=bar,DC=com
# Set search_scope to one of them: BASE, LEVEL , SUBTREE
# Set search_scope to SUBTREE if using Active Directory, and not specifying an Organizational Unit
search_scope = SUBTREE
New Config With Specific Admin Group Set:
# set a connection without encryption: uri = ldap://<your.ldap.server>:<port>
uri = ldap://123.456.789:123
user_filter = objectclass=*
# in case of Active Directory you would use: user_name_attr = sAMAccountName
user_name_attr = sAMAccountName
# group_member_attr should be set accordingly with *_filter
# eg :
# group_member_attr = groupMembership
# superuser_filter = groupMembership=CN=airflow-super-users...
superuser_filter = memberOf=CN=MyAdminGroupName,OU=foo,DC=us,DC=bar,DC=com
data_profiler_filter = memberOf=CN=MyAdminGroupName,OU=foo,DC=us,DC=bar,DC=com
group_member_attr = member
group_name_attr = CN
group_filter = objectclass=group
bind_user = CN=blah,OU=foo,DC=us,DC=bar,DC=com
bind_password = yahoo
basedn = DC=us,DC=bar,DC=com
# Set search_scope to one of them: BASE, LEVEL , SUBTREE
# Set search_scope to SUBTREE if using Active Directory, and not specifying an Organizational Unit
search_scope = SUBTREE
Resource: https://airflow.apache.org/security.html
With this new configuration I am able to log into the Airflow UI but I'm no longer able to view the Admin tab. I am 100% sure I am a part of the admin group MyAdminGroupName. I'm also not sure where to put my regular user group name MyRegularGroupName.
Can someone please guide me on how to configure my Admin group (MyAdminGroupName) and my regular user group (MyRegularGroupName)?
I also struggled with setting up LDAP in Airflow.
First of: What is group_filter = objectclass=group in your config? I cannot find it specified in the docs or in the ldap_auth.py.
Then, your group_member_attr is set to member, but in the filter queries you're using memberOf, so I guess that memberOf should be your group_member_attr (it usually is, if your using Active Directory).
Your superuser_filter and data_profiler_filter look good to me.
To whoever reads this: the filters are inserted into a string like this in the code: (&(<FILTER_HERE>)), so if you want to build a more sophisticated filter, take this into account.
E.g. I wanted to only give three users superuser rights (using environment variables for config):
AIRFLOW__LDAP__SUPERUSER_FILTER: "&(objectCategory=Person)(|(sAMAccountName=user1)(sAMAccountName=user2)(sAMAccountName=user3))(memberOf=CN=MyDepartment,OU=Departments,OU=UserGroup,DC=MyCompany,DC=local)"
Regarding your question about MyRegularUserGroup: I guess, you can specify the user filter to filter for persons in your regular user group and then specify the admin group for superuser and data profiler. But that would only work if the admin group is a subset of the regular user group.
Hope that helps.

Can't select User ID from Salesforce

I'm trying to select user's subordinates from Salesforce, but a simple query
SELECT Id FROM User WHERE ManagerId=xxxxxxxxx
returns bunch of null values, when I run
SELECT Id,Name FROM User WHERE ManagerId=xxxxxxxx
I get the correct names, still no IDs.
Is this a permission issue? I can't find anything when I login to portal.
I'm running the queries via API on Sandbox environment.
Try this (both works for me allways):
Id myId = [Select Id From User Where Username = 'myUserName'].Id;
System.debug('#### myId: ' + myId);
List<User> myIdList = [Select Id From User Where Username = 'myUserName' Limit 1];
System.debug('#### myId from list: ' + myIdList[0].Id);
Portal Licence doesn't allow to query User. However you have still access to the name of the user through OwnerId, CreatedById, LastModifiedById using in an inputfield.
i.e :
If you want to have access to user through the portal you need a custom object and synchronise your records with User by trigger.

How to find loginname, database username, or roles of sqlserver domain user who doesn't have their own login?

I have created a login and database user called "MYDOMAIN\Domain Users". I need to find what roles a logged on domain user has but all the calls to get the current user return the domain username eg. "MYDOMAIN\username" not the database username eg. "MYDOMAIN\Domain Users".
For example, this query returns "MYDOMAIN\username"
select original_login(),suser_name(), suser_sname(), system_user, session_user, current_user, user_name()
And this query returns 0
select USER_ID()
I want the username to query database_role_members is there any function that will return it or any other way I can get the current users roles?
I understand that the Domain Users login is mapped into AD group?
You have to bear in mind that user can be in several AD groups and each of them can be mapped somehow in database which may be a bit messy. Also it means you need something with multiple results :)
Try this:
select * from sys.server_principals where type_desc = 'WINDOWS_GROUP' and is_member(name) = 1
I think it should grab properly all Windows Group logins that will be tied with particular users. After that you can join it for database users i.e.:
Select u.name from YourDB.sys.syslogins l
inner join YourDB.sys.sysusers u
on l.sid = u.sid
where l.loginname = ANY (select * from sys.server_principals where type_desc = 'WINDOWS_GROUP' and is_member(name) = 1)
You have to keep in mind that - all the way - you may need to handle whole sets rather then single values.

Finding a user's manager record in Active Directory

Using Active Directory, am trying to find the SamAccountName and email of the user’s manager.
I find the logged on user in the AD by search where sAMAccountName = Domain\Account. I then retrieve the manager property, which looks like this, for example:
CN=Doe\, Jane E.,OU=Employees,OU=Users,OU=Detroit,OU=United States,DC=na,DC=gmc,DC=gmc,DC=com"
How can I use this presumed key to find the user record for this person? What field would I match on?
If I remember correctly, that is their Distinguished Name, which means you can use it as the direct reference to their profile
LDAP://CN=Doe, Jane E.,OU=Employees,OU=Users,OU=Detroit,OU=United States,DC=na,DC=gmc,DC=gmc,DC=com
I also think it will return that name if the profile exists. If it has been deleted then I believe it runs a GUID of some sort (based on memory - this might be incorrect)
The entry for the manager is the manager's Binding String. You can feed it back into a request to active directory by binding it to an object that will return the manager's information.
(This is a post from old time, but I thought might be useful for others in the community)
You can use string stripping and find it like this:
REPLACE(SUBSTRING(manager, 4, CHARINDEX('OU=', manager)-5), '\', '')
Full working query (just change DOMAIN to your own):
SELECT Top 901 manager, REPLACE(SUBSTRING(manager, 4, CHARINDEX('OU=',
manager)-5), '\', '')
FROM OPENQUERY( ADSI, 'SELECT manager FROM ''LDAP://DC=DOMAIN,DC=local''
WHERE objectCategory = ''Person'' AND objectClass= ''user''
AND userprincipalname = ''*'' AND mail = ''*'' AND SN = ''*'' ')

Resources