Basically I have a scenario which requires that the same ADFS SAML SP has two separate SAML entity id, can this be done? How? Do I need to have separate RP for each entity ID?
You can use claims rules to change the identifier before issuing claims. But the federation metadata will always reveal the real true entityid as nzpcmad said.
So if you federate with AD FS without using the metadata endpoint and manually specify the entityID and endpoints, you can use claims rules to achieve this.
Customers with Office 365 have experience with this. If one AD FS is used to federate more than one domain in use (on O365/Azure AD) then a claims rule is used to change the http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid before issuance.
here is the relevant rule as used in O365 and Azure AD. The below rule extracts the UPN suffix and uses this to make an identifier like http://domain.com/adfs/services/trust/ (where domain.com is UPN suffix as defined in AD for the user)
c:[Type == "http://schemas.xmlsoap.org/claims/UPN"]
=> issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", Value = regexreplace(c.Value, ".+#(?<domain>.+)", "http://${domain}/adfs/services/trust/"));
So if you add claims rules to your relevant RP trust as deemed necessary you can either use default AD FS identifier or make it appear as something else.
The standard ADFS entity ID in the metadata is:
entityID="http://xxx/adfs/services/trust"
There is only one and it is actually the ADFS URL.
There is no way to change the metadata as well.
You would need two separate ADFS instances.
Related
I have an (external to Azure) application to integrate with AzureAD through OIDC. The requirement is to add a custom claim to id_token with a list of groups where the user is an owner in AD.
For example if the user is in the owner of group with id = "123abc", I need to add the following custom claim to id_token.
"ownedGroups": ["123abc"]
If this is not possible is there at least option to add sth like this
"hasOwnedGroups": true
I could not find any relevant example for this in docs. Can you share an example for doing this? If this is not possible in the exactly same way, I 'd like to know the alternative solution for putting information about ownership in id token.
Azure AD does not support Groups as source for custom claims or claims mappings. You can however create directory extensions, update them with any data you want and get them in the token as optional claims.
I want to add a custom claim to the ID Token or access token on basis of the azure group user is part of.
Let me give an example. I want to create a custom claim named test. The value of this claim will be on basis of the azure group. If the user is part of group A, then the custom claim value will be A, If the user is part of group B, then the custom claim value will be B, and so on.
I am already using roles in a claim for some other thing, so can`t use that.
To enable the return of groups in a claim, there are two ways…
Use the application registration manifest by enabling the groupMembershipClaims property…
https://learn.microsoft.com/en-us/azure/active-directory/develop/reference-app-manifest
or if it’s a SAML application, you can enable it though the SSO configuration.
The steps on enabling groups claim is outlined in the following article…
https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-group-claims
Once enabled, groups will now be returned in the “groups” claim within a access token or ID token using OpenID Connect.
For more information you can refer this document
We have a secondary AAD with guested users from a primary AAD. The token generated for the guest user appears to be missing the upn claim, but we are relying on the fact that the upn claim exists as that is what we are using to map users across systems.
I understand that the upn may be missing for guested Microsoft Live accounts, but these are full AAD accounts, just in another AAD. Microsoft’s documentation also suggests the unique_name claim may not actually be unique!!
https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-token-and-claims
Could you tell me what determines the value of the unique_name claim?
Is this safe for us to use this claim to fallback to if the upn claim does not exist or is an externally guested user?
Guest user token content
{
..,...
"tid": "xxxxxxxx-7ea7-413c-96bc-3f3aba133732",
"unique_name": "testAdmin#xxxxxxxx.onmicrosoft.com",
"ver": "1.0"
}
Regular user Token content:
{
......
"tid": "xxxxxxxx-72d8-4715-b14f-990c93843416",
"unique_name": "testAdmin#xxxxxxx.onmicrosoft.com",
"upn": "testAdmin#xxxxxxx.onmicrosoft.com",
"ver": "1.0"
}
I know you would probably like us to use the “oid” but this would cause us issues between environments as the same user will be a different value in each AAD.
Tokens (well, tokens where ver==1.0) representing guest users in Azure AD will indeed be missing the upn claim, but will contain the unique_name claim, as you've discovered. This applies equivalently to guest users from other Azure AD tenants, as well as guest users from external identity providers.
The value of the unique_name claim for guest users from other Azure AD tenants will be the user's UPN, if available, or otherwise falls back to the user's email address. For other types of guest users, the unique_name will take other formats & values. The idea is that the unique_name is the best-effort human-readable identifier for the guest user.
In any case, the unique_name value can be changed, and in rare cases, collisions might occur. That's why the documentation recommends against using it as a primary user identifier. The recommended user identifier in the Azure AD system is the object ID, or oid.
Yes, the oid will be different for the same human across different tenants. But that's sort of the point of the Azure AD tenanted model. A guest user in another tenant is meant to appear as a completely different user to the application than the user in its "home" tenant. If you want to map these two users together, the best you can do is use heuristics, like the unique_name.
I'd recommend that you file requests on feedback.azure.com for a couple things:
A reliable user identifier that can identify users across tenants.
Better documentation on how to handle guest accounts in AAD.
I'm having difficulties setting up ADFS with OpenID Connect on Windows Server 2016.
I've setup AD for testing and I can successfully authenticate, however the email claim is not in the id token.
Additionally I've setup an external ADFS in the Claims Provider trust. It is displayed as an option, however upon logging in I get the error:
MSIS9642: The request cannot be completed because an id token is required but the server was unable to construct an id token for the current user.
Anybody have suggestions on how to fix this?
The root cause of MSIS9642 is that the new OpenID Connect Application Group features in ADFS 2016 need to issue an access token to your application. This token must include the users identity. In order to issue the token the subsystem must understand which claim in the inbound claims is used to uniquely identify the user.
A new property called AnchorClaimType has been added to the Claim Provider Trust model.
When ADFS is first installed it registers a built in Claim Provider Trust for AD AUTHORITY and sets the value for AnchorClaimType to
foo://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname
You can see this by using the powershell command get-adfsclaimsprovidertrust.
This is why OpenID works for when authenticating against Active Directory.
When you create a new Claim Provider Trust the system does not set an AnchorClaimType. The OpenID system can't issue a token because it does not know which inbound claim constitutes the unique user identity. This is why OpenID does not work when authenticating against an external Claim Provider trust.
In order to resolve this problem you need to take a few actions:
a) Verify that you are running Windows Server 2016 RTM Unfortunately the powershell attribute to set AnchorClaimType does not exist in the CTP, and the property cannot be set using the UI.
b) Choose a claim from the inbound token that represents the users identity and identify the claim type. In our case we were federating with an Azure Active Directory and chose name, and the type is foo://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
c) Set the AnchorTypeClaim for the Claim Provider Trust to the type selected by using powershell
set-adfsclaimsprovidertrust -targetidentifier identifier -AnchorClaimType http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
(get identifier from powershell get-adfsclaimsprovidertrust)
d) Create at least one inbound rule that passes through the value for the primary input claim, in our case Name
Hope this helps
To solve the problem with the missing AnchorClaimType parameter for additional added Claim Provider Trusts (CPT) a workaround for Windows Server 2016 TP5 (until end of support) can be used.
Workaround:
If CPT is already existing, delete the CPT.
Use the powershell command Add-AdfsClaimsProviderTrust
Either parameter wise (see Technet Description)
Or using a Metadata URL + the Parameter -AnchorClaimType "yourAnchorClaimValue".
Create at least one inbound rule that passes through the value for the primary input claim
In my case the following PS command solved the problem:
[String]$ClaimProviderTrustName = "YourCPTName"
[String]$MetaDataURL = "https://..."
[String]$AnchorClaimType = "YourAnchorClaimValue"
Add-AdfsClaimsProviderTrust -Name $ClaimProviderTrustName -MetadataUrl $MetaDataURL -AnchorClaimType $AnchorClaimType
I work at Microsoft. My customer had this same error. This is how we fixed it. We used Claims x-ray. We had them do a login with an identity from Active Directory and then do a login with an identity that uses an external claims provider trust.
When we compared the Claims X-Ray output, the value for anchorclaimtype didn't look right on the claims provider trust test login. We made a change in the claims provider to issue http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress as the anchor claim type and it resolved the problem.
v-michall#microsoft.com
I'm setting up authentication with Auth0 and using OpenID Connect. I've set up my OWIN Startup class according to this example. Now my problem is that users from the Auth0 database provide different claims than users that are authenticated by an Enterprise connection (I'm using Azure AD to test this scenario).
My question is, which claim should I use to look up a user in my application's database to perform authorization, i.e. use as User ID? Also note the comment in the link above, which says that I might need to "read/modify the claims that are populated based on the JWT".
OpenID Connect has standardized the sub claim for the primary user identifier. Alternatively you may be able to use the mail claim, with the caveat that e-mail addresses can be reassigned, and sub should not be.