Archive for the ‘Active Directory Federation Services (ADFS)’ Category

(2012-05-25) Update Rollup 2 For ADFS v2.0 Has Been Released

Posted by Jorge on 2012-05-25

Microsoft has released update rollup 2 for ADFS v2.0. This rollup contains both bug fixes and additional capabilities. Read all the details by clicking on the following link Description of Update Rollup 2 for Active Directory Federation Services (AD FS) 2.0.

The Update Rollup 2 update is a cumulative update package that contains all the fixes and new features that were contained in Update Rollup 1.

In summary:

Resolves Bug fixes
Feature: Support for the RelayState parameter for Security Assertion Markup Language (SAML) protocol has been added

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: http://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Federation Services (ADFS), Updates | Leave a Comment »

(2012-05-11) Installing And Configuring ADFS v2 As A PRX Server

Posted by Jorge on 2012-05-11

With this post I want to show you the ADFS v2.0 PRX installation procedure that I used in my test/demo environment. The installation binaries can be downloaded from the internet for W2K8/W2K8R2 from here, and I also downloaded (at the time of writing) the latest update rollup for ADFS from here. I followed the following installation steps.

After downloading the ADFS installation binaries, double-click it. Then click on “Next >”.

Figure 1: The Active Directory Federation Services v2.0 Setup Wizard

Check the “I accept the terms in the License Agreement” after reading and accepting the EULA for ADFS v2.0, and then click on “Next >”.

Figure 2: The Active Directory Federation Services v2.0 Setup Wizard – The EULA

We need to start with the installation of the federation proxy server. In terms of locating and securing the PRX server, you do not need to consider it as an ADFS STS server. The purpose of the ADFS PRX is to locate it on insecure networks or locate it facing insecure networks (e.g. internet). The ADFS PRX is basically a traffic agent without any authority. It just passes security tokens from the ADFS STS to the user and vice versa and allows the automatic exchange of metadata to occur when possible. The ADFS PRX server is not able/allowed to generate any security token with any claim like an ADFS STS server. Therefore, anyone in control of the PRX server is not able to do anything.

The ADFS PRX server does not need to be domain joined, but it could be if you want to leverage centralized administration and policy management through AD.

Because we need an PRX server, select the federation proxy server option.

Figure 3: The Active Directory Federation Services v2.0 Setup Wizard – Installing An PRX Server

Click on “Next >”.

Figure 4: The Active Directory Federation Services v2.0 Setup Wizard – Prerequisite Software

Now, just be patient.

Figure 5: The Active Directory Federation Services v2.0 Setup Wizard – Installation Of Binaries In Progress

Make sure to have the option “Start the AD FS 2.0 Federation Server Proxy Configuration Wizard when this wizard closes” checked and click on “Finish”.

Figure 6: The Active Directory Federation Services v2.0 Setup Wizard – Installation Finished

If IIS was not pre-installed and/or if the default website was not already configured with a SSL certificate, the following error will appear. Read it carefully and click on “OK”. It is recommended to FIRST get a certificate and then connect the ADFS PRX server to the ADFS STS server(s).

Figure 7: Error When SSL Has Not Been Configured On The Default Website

If the ADFS PRX server is domain joined, you can request an SSL certificate using the next steps. If the ADFS PRX server is operating as non-domain joined. You will need to do an offline certificate request and then manually deploy it to ADFS PRX server(s).

For now I’m assuming it is domain joined as that is easier to describe! Smile

For more information about the certificates in use by ADFS see:

In this case I’m going to use certificate from the CA in my test/demo environment.

Start the Certificates MMC on the ADFS PRX server and target the local computer. To request a certificate navigate to “Certificates (Local Computer)” –> Personal –> Certificates. Right-click the last one and then “All Tasks” –> “Request New Certificate”.

Figure 8: Requesting A New Certificate

Click on “Next >”.

Figure 9: Certificate Enrollment – Before You Begin

In this select the “Active Directory Enrollment Policy” and click on “Next”.

Figure 10: Certificate Enrollment – Certificate Enrollment Policy

For this certificate you can leverage the “Web Server” certificate template. Select the “Web Server” certificate template, click on details to expand for more information and click on “Properties”.

Figure 11: Selecting The “Web Server” Certificate Template

For the Service Communication (SSL) Certificate, targeting the “Subject” TAB, provide the service name (e.g. FS.ADCORP.LAB) as the subject name (Type = Common Name) and as the alternate name (Type = DNS). The ADFS PRX server must also be reachable using the ADFS federation service name (e.g. FS.ADCORP.LAB). In addition to that, the ADFS PRX server itself must be able to access the ADFS STS server(s) using the exact same ADFS federation service name (e.g. FS.ADCORP.LAB). How you achieve that really depends on the DNS name resolution setup internally, in the DMZ and on the internet. But, that’s a totally different story I hope to describe another day. Unfortunately, today is not that day.

Figure 12a: Service Communication (SSL) Certificate – Subject Name And Alternate Name

For the Service Communication (SSL) Certificate, targeting the “General” TAB, provide the friendly name (e.g. Service Communication Cert For ADFS-PRX) and the description.

Figure 12b: Service Communication (SSL) Certificate – Friendly Name And Description

For the Service Communication (SSL) Certificate, targeting the “Private Key” TAB, configure the private key to be exportable. Click “OK” when done.

Figure 12c: Service Communication (SSL) Certificate – Configuring Private Key To Be Exportable

Click on “Enroll” to actually enroll the certificate.

Figure 13: Enrolling The Certificate

Click on “Finish”

Figure 14: Finishing The Certificate Enrollment

Now by using the IIS MMC you need to make sure the default website has an HTTPS (SSL) binding (port 443) and also uses the just enrolled SSL certificate.

Figure 15: HTTPS (Port 443) Binding Using The Service Communication Certificate For The ADFS-PRX

Also make sure to enforce SSL as shown in the picture below.

Figure 16: Enforcing The Use Of SSL For The Default Website

Now from the Start Menu, start the AD FS 2.0 Federation Server Proxy Configuration Wizard and then click on “Next >”.

Figure 17: The Active Directory Federation Server Proxy Configuration Wizard

Type the federation service name (e.g. FS.ADCORP.LAB) that was also used when installing the ADFS STS servers

Figure 18: Specifying The Federation Service Name

To make sure you can connect the ADFS PRX server to the ADFS STS server(s), you should first test the connection by clicking on “Test Connection”. If the connection if successful you will see the acknowledgement an then click on “OK”. If not, you will receive an error. Click on “Next >”.

Figure 19: Testing The Connection From The ADFS PRX Server To The ADFS STS Server (s)

To actually connect the ADFS PRX to the ADFS STS servers, you need to provide credentials. Those credentials can either be the credentials for the ADFS service account used on the ADFS STS servers, or be any account that has local administrative permissions on the ADFS STS server(s). Therefore, enter credentials and click on “OK”.

Figure 20: Specifying The Credentials To Connect The ADFS PRX Server To The ADFS STS Server(s)

When successful, the following will appear. Click on “Next >” to configure the local ADFS PRX server.

Figure 21: Configuration Summary Of The Local ADFS PRX Server

The ADFS PRX is being configured. Be patient.

Figure 22: Actual Configuration Of The Local ADFS PRX Server

When the actual configuration is done, click on “Close”.

Figure 23: The Configuration Of The Local ADFS PRX Server Finished

Now it is time to update the ADFS role. After downloading the ADFS rollup package, extract it and double-click the MSU file. Then click “YES”.

Figure 24: Confirming The Installation Of The ADFS Rollup Package 1

Click on “Restart Now” to restart the server.

Figure 25: Finalizing The Installation Of The ADFS Rollup Package

To validate the working of your ADFS deployment, you can target the following URLs (of course replace this with your own federation service name!!!):

https://fs.adcorp.lab/adfs/ls/IdPInitiatedSignOn.aspx
https://fs.adcorp.lab/FederationMetadata/2007-06/FederationMetadata.xml

[1] –> https://fs.adcorp.lab/adfs/ls/IdPInitiatedSignOn.aspx

First it will perform Home Realm Discovery (HRD) if you have more than one Claims Provider Trust configured. I this case I do, so that’s why it happened.

Figure 26: Testing ADFS Deployment – Home Realm Discovery

As soon as you click on “continue to sign in” it will ask you to provide credentials. This does assume you are not using Windows Integrated Authentication (in that case the federation service FQDN is NOT added to the Local Intranet Zone in IE). The collection of the credentials is either Windows based of forms based, whatever you have configured. On a ADFS STS it most likely is Windows based as that is the default! If you want to use Windows Integrated Authentication you must add the federation service FQDN to the Local Intranet Zone in IE. On a PRX forms based is the default

Figure 27: Testing ADFS Deployment – Providing Credentials

Figure 28: Testing ADFS Deployment – Successful Logon

[2] –> https://fs.adcorp.lab/FederationMetadata/2007-06/FederationMetadata.xml

As soon as you enter the URL and hit ENTER, you might end up in seeing a BLANK page. To actually see the federation metadata, click IN ADDITION on the “Compatibility View” button in IE. You will then see the following.

Figure 29: Testing ADFS Deployment – Federation Metadata

With regards to ADFS, also see the following resource with lots of information:

ADFS Related Videos:

Posted in Active Directory Federation Services (ADFS), Proxy Service | Leave a Comment »

(2012-05-10) Installing And Configuring ADFS v2 As An STS Server (Part 3)

Posted by Jorge on 2012-05-10

Part 2 of this series showed you how to configure the required for ADFS.

Instead of using the GUI to configure ADFS, we are going to use the command line version of the configuration wizard as that gives us more possibilities to configure ADFS and because not everything is possible through the GUI version of the configuration wizard. The command line version of the configuration wizard can be found in the following folder “C:\Program Files\Active Directory Federation Services 2.0”. So before executing the command, you either need to navigate to that folder first or you need to provide the full path of the executable.

FSCONFIG provides for the following options.

Figure 1: FSCONFIG Options To Configuring The ADFS STS

Because this is my first STS server and because I want to create a SQL Server based farm, I will use the CreateSQLFarm option. For subsequent ADFS STS server you need to use the JoinSQLFarm option.

&'C:\Program Files\Active Directory Federation Services 2.0\FsConfig.exe' CreateSQLFarm /ServiceAccount ADCORP\SVC_R1_ADFS /ServiceAccountPassword pwd /SQLConnectionString "database=AdfsConfiguration;server=RFSRWDC1.ADCORP.LAB\;integrated security=SSPI" /FederationServiceName FS.ADCORP.LAB /CertThumbprint $($adfsSvcCommunicationCert.Thumbprint) /SigningCertThumbprint $($adfsTokenSigningCert.Thumbprint) /DecryptCertThumbprint $($adfsTokenDecryptionCert.Thumbprint)

Figure 2: Creating A SQL Server Based ADFS STS Farm

In addition to what you see above, the command will also give the ADFS service account READ permissions on the private key of all three certificates used (Certificates MMC –> “Certificates (Local Computer)” –> Personal –> Certificates –> Right-click any of the ADFS certs –> “All Tasks” –> “Manage Private Keys”.), it will also configure the correct SPN (e.g. HOST/FS.ADCORP.LAB) on the ADFS service account.

Because a farm is being used we also need to configure the certificate sharing container in AD (e.g. “CN=62b8a5cb-5d16-4b13-b616-06caea706ada,CN=ADFS,CN=Microsoft,CN=Program Data,DC=ADCORP,DC=LAB”) by using the following command:

Set-ADFSCertSharingContainer -ServiceAccount ADCORP\SVC_R1_ADFS
(Get-ADFSProperties).CertificateSharingContainer

Figure 3: Configuring The ADFS Certificate Sharing Container In AD

Now we need to configure the correct federation service identifier. By default the federation service identifier looks as shown below.

(Get-ADFSProperties).Identifier

Figure 4: The Default Federation Service Identifier Configuration

By adjusting the default value to something like “urn:federation:fs.adcorp.lab” it becomes easier to manage that value. It is not really important what the value is, as long as it is unique! Be aware that it is case sensitive also!

Set-ADFSProperties -Identifier "urn:federation:fs.adcorp.lab" -AcceptableIdentifier "urn:federation:fs.adcorp.lab"
(Get-ADFSProperties).Identifier

Figure 5: A Custom Federation Service Identifier Configuration

Now depending on the trusts that need to be setup and the supported applications, custom claims description may need to be defined and claims transform rules need to be defined on the different federation trusts (claims providers and relying parties). In the near future I hope to write about federating to access SP2010 Web Application/Site.

To validate the working of your ADFS deployment, you can target the following URLs (of course replace this with your own federation service name!!!):

https://fs.adcorp.lab/adfs/ls/IdPInitiatedSignOn.aspx
https://fs.adcorp.lab/FederationMetadata/2007-06/FederationMetadata.xml

[1] –> https://fs.adcorp.lab/adfs/ls/IdPInitiatedSignOn.aspx

First it will perform Home Realm Discovery (HRD) if you have more than one Claims Provider Trust configured. I this case I do, so that’s why it happened.

Figure 5: Testing ADFS Deployment – Home Realm Discovery

Figure 6: Testing ADFS Deployment – Providing Credentials

Figure 7: Testing ADFS Deployment – Successful Logon

[2] –> https://fs.adcorp.lab/FederationMetadata/2007-06/FederationMetadata.xml

Figure 8: Testing ADFS Deployment – Federation Metadata

With regards to ADFS, also see the following resource with lots of information:

ADFS Related Videos:

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: http://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

Posted in Active Directory Federation Services (ADFS), Security Token Service (STS) | 1 Comment »

(2012-05-09) Installing And Configuring ADFS v2 As An STS Server (Part 2)

Posted by Jorge on 2012-05-09

Part 1 of this series showed you how to install the binaries for ADFS v2.0.

After restarting the server we still need to install/configure the ADFS role. The previous step just installed the binaries. But, before actually installing/configuring the ADFS role, let’s first make sure we have the correct certificates. For more information about the certificates in use by ADFS see:

In this case I’m going to use certificate from the CA in my test/demo environment. The steps for each certificate in this are similar

Start the Certificates MMC on the ADFS STS server and target the local computer. To request a certificate navigate to “Certificates (Local Computer)” –> Personal –> Certificates. Right-click the last one and then “All Tasks” –> “Request New Certificate”.

Figure 1: Requesting A New Certificate

Click on “Next >”.

Figure 2: Certificate Enrollment – Before You Begin

In this select the “Active Directory Enrollment Policy” and click on “Next”.

Figure 3: Certificate Enrollment – Certificate Enrollment Policy

For all three ADFS related certificates you can leverage the “Web Server” certificate template. Select the “Web Server” certificate template, click on details to expand for more information and click on “Properties”.

Figure 4: Selecting The “Web Server” Certificate Template

Figure 5a: Service Communication (SSL) Certificate – Subject Name And Alternate Name

For the Service Communication (SSL) Certificate, targeting the “General” TAB, provide the friendly name (e.g. Service Communication Cert For ADFS-STS) and the description.

Figure 5b: Service Communication (SSL) Certificate – Friendly Name And Description

For the Service Communication (SSL) Certificate, targeting the “Private Key” TAB, configure the private key to be exportable. Click “OK” when done.

Figure 5c: Service Communication (SSL) Certificate – Configuring Private Key To Be Exportable

For the Token Signing Certificate, targeting the “Subject” TAB, provide the common name (e.g. FS.ADCORP.LAB.TOKEN.SIGNING) as the subject name (Type = Common Name). The actual value of the common name is not important, from a technical perspective. However, from a management perspective it is suggested to enter a name in the format <ADFS Service Name>.TOKEN.SIGNING.

Figure 6a: Token Signing Certificate – Subject Name And Alternate Name

For the Token Signing Certificate, targeting the “General” TAB, provide the friendly name (e.g. Token Signing Cert For ADFS-STS) and the description.

Figure 6b: Token Signing Certificate – Friendly Name And Description

For the Token Signing Certificate, targeting the “Private Key” TAB, configure the private key to be exportable. Click “OK” when done.

Figure 6c: Token Signing Certificate – Configuring Private Key To Be Exportable

For the Token Decryption Certificate, targeting the “Subject” TAB, provide the common name (e.g. FS.ADCORP.LAB.TOKEN.DECRYPTION) as the subject name (Type = Common Name). The actual value of the common name is not important, from a technical perspective. However, from a management perspective it is suggested to enter a name in the format <ADFS Service Name>.TOKEN.DECRYPTION.

Figure 7a: Token Decryption Certificate – Subject Name And Alternate Name

For the Token Decryption Certificate, targeting the “General” TAB, provide the friendly name (e.g. Token Decryption Cert For ADFS-STS) and the description.

Figure 7b: Token Decryption Certificate – Friendly Name And Description

For the Token Decryption Certificate, targeting the “Private Key” TAB, configure the private key to be exportable. Click “OK” when done.

Figure 7c: Token Decryption Certificate – Configuring Private Key To Be Exportable

Click on “Enroll” to actually enroll the certificate.

Figure 8: Enrolling The Certificate

Click on “Finish”

Figure 9: Finishing The Certificate Enrollment

Let’s enumerate the just created certs for ADFS, using the following PowerShell commands

# Retrieving The Service Communication Cert For ADFS
$adfsSvcCommunicationCert = dir cert:\LocalMachine\My | where {$_.Subject -eq "CN=FS.ADCORP.LAB"}
$adfsSvcCommunicationCert | FL

# Retrieving The Token Signing Cert For ADFS
$adfsTokenSigningCert = dir cert:\LocalMachine\My | where {$_.Subject -eq "CN=FS.ADCORP.LAB.TOKEN.SIGNING"}
$adfsTokenSigningCert | FL

# Retrieving The Token Decryption Cert For ADFS
$adfsTokenDecryptionCert = dir cert:\LocalMachine\My | where {$_.Subject -eq "CN=FS.ADCORP.LAB.TOKEN.DECRYPTION"}
$adfsTokenDecryptionCert | FL

The output of that all can be seen in the picture below.

Figure 10: Enumerating The Certs To Be Used In ADFS

Part 3 of this series will continue with the system configuration of ADFS.

With regards to ADFS, also see the following resource with lots of information:

ADFS Related Videos:

Cheers,

Jorge

* DISCLAIMER: http://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

Posted in Active Directory Federation Services (ADFS), Security Token Service (STS) | 2 Comments »

(2012-05-08) Installing And Configuring ADFS v2 As An STS Server (Part 1)

Posted by Jorge on 2012-05-08

With this post I want to show you the ADFS v2.0 STS installation procedure that I used in my test/demo environment. The installation binaries can be downloaded from the internet for W2K8/W2K8R2 from here, and I also downloaded (at the time of writing) the latest update rollup for ADFS from here. I followed the following installation steps.

After downloading the ADFS installation binaries, double-click it. Then click on “Next >”.

Figure 1: The Active Directory Federation Services v2.0 Setup Wizard

Check the “I accept the terms in the License Agreement” after reading and accepting the EULA for ADFS v2.0, and then click on “Next >”.

Figure 2: The Active Directory Federation Services v2.0 Setup Wizard – The EULA

We need to start with the installation of the federation server, which is also called the security token service (STS) server. In terms of locating and securing the STS server, you MUST consider it as equal to a writable domain controller. Anyone in control of the STS server is able to issue security tokens. If for whatever reason you need to connect to your STS server from an untrusted network (e.g. the internet) you would need to have a federation proxy server or a unified access gateway (UAG) server with SP1 as an intermediate.

The ADFS STS server must be domain joined to support Windows Integrated Authentication, and because of that the ADFS STS will be able to provide security tokens with claims for any of the following users:

User accounts in the AD domain of the ADFS STS server;
User accounts in any AD domain in the AD forest of the ADFS STS server;
User accounts in any AD domain/forest for which a two-way trust exists with the AD domain/forest of the ADFS STS server.

Because we need an STS server, select the federation server option.

Figure 3: The Active Directory Federation Services v2.0 Setup Wizard – Installing An STS Server

Click on “Next >”.

Figure 4: The Active Directory Federation Services v2.0 Setup Wizard – Prerequisite Software

Now, just be patient.

Figure 5: The Active Directory Federation Services v2.0 Setup Wizard – Installation Of Binaries In Progress

UNcheck, the “Start the AD FS 2.0 Management snap-in when this wizard closes” and click “Finish”.

Figure 6: The Active Directory Federation Services v2.0 Setup Wizard – Installation Finished

After downloading the ADFS rollup package, extract it and double-click the MSU file. Then click “YES”.

Figure 7: Confirming The Installation Of The ADFS Rollup Package 1

Click on “Restart Now” to restart the server.

Figure 8: Finalizing The Installation Of The ADFS Rollup Package

Part 2 of this series will continue with the certificates required for ADFS.

With regards to ADFS, also see the following resource with lots of information:

ADFS Related Videos:

Posted in Active Directory Federation Services (ADFS), Security Token Service (STS) | 1 Comment »

(2012-05-06) Setting Up SALESFORCE.COM With ADFS v2.0

Posted by Jorge on 2012-05-06

I found this great article below and I thought to post it here also. The credits about this post of course go to the original writer. Also make sure to read all the comments in the original source as those have not been copied. The information in the comments is also quite useful!

ORIGINAL SOURCE: SalesForce SSO with ADFS 2.0 – Everything you need to Know

Intro

In my last post I went over the basic concept of federation using SAML 2.0, today I’ll show you how to configure single sign-on for SalesForce using ADFS 2.0. This is a really nice solution because it’s easy to set up and doesn’t cost you anything except the Windows 2008 OS licence.

ADFS 2.0 is Microsoft’s answer to federation – it includes their own implementation of SAML 2.0. It runs on Windows Server 2008 [R2] and is installed from a separate downloadable package. It is not the ADFS ‘role’ which can be enabled in Windows Server 2008 R2, that’s ADFS 1.0 (not cool).

If you don’t feel you have a good grasp of SAML 2.0 I suggest that you set up ADFS 2.0 (as IdP) and Shibboleth (as SP) in a lab environment. There’s no better way to learn about a particular technology than to interface Microsoft’s implementation with its open source counterpart! There’s a great MSDN blog post that walks you through the set up. I really learnt a lot by doing this.

Overview

Let’s first take a look at an overview of the process then we’ll dive into the configuration. The diagram below shows the process for an IdP-initiated login into SalesForce – later we’ll look at SP-initiated login.

The user authenticates to the ADFS server using Kerberos and requests login to SalesForce
ADFS returns a SAML assertion to the user’s browser
The browser automatically submits the assertion to SalesForce who logs the user in

Install

Start with Windows Server 2008 [R2] – Domain Joined
Create a friendly DNS name for ADFS and point it to your adfs server. e.g adfs.testzone.local
Download and install ADFS 2.0. Federation Server role. This will install all pre-requisites
In the IIS manager create an SSL certificate for your friendly DNS name or use SelfSSL from the IIS 6.0 resource kit to create a self-signed certificate
Run through the ADFS Server configuration wizard
- Create a new federation Service
- Stand-alone server
- Select the certificate that you created for your friendly DNS name
Create an SPN for the DNS name so that Kerberos authentication between the browser and the ADFS IIS instance works correctly

setspn -a HOST/adfs.testzone.local testzone\ADFSSVR01
setspn -a HOST/adfs testzone\ADFSSVR01

For more info on Kerberos SPNs see my Active Directory and Kerberos SPNs Made Easy post

Configuration

To build a federation between two parties we need to establish a trust by exchanging some metadata. The metadata for our ADFS 2.0 instance is entered manually into the SalesForce configuration. SalesForce metadata is downloaded as an XML file which ADFS 2.0 can consume.

SalesForce Configuration

In the ADFS 2.0 MMC snap-in select the certificates node and double click the token-signing certificate to view it.

Go to details and “Copy to File”. Save the certificate in DER format.

On the ADFS server browse to your federation metadata URL which can be found in the ADFS MMC\Endpoints|Metadata|Type:Federation Metadata. In my case: https://adfs.testzone.local/FederationMetadata/2007-06/FederationMetadata.xml

Copy the entityID. In my case http://adfs.testzone.local

Go to SalesForce Setup\Security Controls\Single Sign-On Settings\

SAML Enabled: Ticked
SAML Version: 2.0
Identity Provider Certificate: Browse and select the token-signing certificate you exported earlier
Issuer: Paste your entityID in here
Identity Provider Login URL: This is the URL of your ADFS SAML endpoint where SalesForce will send SAML requests for SP-initiated login. This can be found in ADFS MMC\Endpoints|Token Issuance|Type:SAML 2.0/WS-Federation (In my case: https://adfs.testzone.local/adfs/ls/ )
SAML User ID Type: To log a user on we can either match against their SalesForce username or we can match against their federation ID which would need to be populated in the profile of every user. For testing select federation ID. If your users currently use their email address as their SalesForce username then when you come to roll out SSO into production you can switch to sending the username.
SAML User ID Location: To log the user on we can either use the NameID in the SAML assertion or we can use some other attribute. NameID should suffice.
Entity ID: This is how our ADFS IdP will identify the SalesForce SP. I just left it as https://saml.salesforce.com. If you were supporting multiple SalesForce instances from the same ADFS instance then you’d want to use the more unique name. This is also the identifier we use when we do a IdP-initiated login with ADFS

Save the settings and download the Metadata xml file.

ADFS 2.0 Configuration

Now that we have the metadata for SalesForce we can create the trust on the ADFS side.

Open the ADFS 2.0 MMC snapin and add a new “Relying Party Trust”:

Select Data Source: Import data about a relying party from a file. Browse to the XML you downloaded from SalesForce
Display Name: Give the trust a display name e.g. ‘SalesForce Sandbox’
Choose Issuance Authorization Rules: Permit all users to access this relying party
Open Edit Claim Rues Dialog: Ticked

In the claim rules editor select the “Issuance Transform Rules” tab

Add a new rule:

Claim Rule Template: Send LDAP Attributes as Claims
Claim Rule Name: For testing we’ll send the UPN as NameID so call the rule: “Send UPN as NameID” In production you might send the user’s email address or employee ID *
LDAP Attribute: User Principal Name
Outgoing Claim Type: Name ID

*Update:See my post on choosing you’re attributes wisely. There’s a potential security pitfall here.

SP-Initiated Login

With IdP-initiated login you would typically set up a link on the company intranet that users would click to get access to SalesForce. SP-initiated login happens when a user clicks a direct link to SalesForce. For this to work we need to set the secure hash algorithm to SHA1 instead of the default SHA-256. This is set in SalesForce relying party trust properties under advanced.

If you don’t set this you’ll get the following message in to the ADFS event log:

Event ID: 378 –> SAML request is not signed with expected signature algorithm. SAML request is signed with signature algorithm http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 . Expected signature algorithm is http://www.w3.org/2000/09/xmldsig#rsa-sha1

With My Domain

It’s best practice to implement the “My Domain” feature at the same time as implementing SSO if you haven’t already done so. “My Domain” gives you your own subdomain on SalesForce. e.g. MyCompany.my.salesforce.com. When you click a “My Domain” link SalesForce will know to redirect you to your Idp (ADFS) to be authenticated.

Without My Domain

As long as the user has performed at least one IdP-initated login from a given browser SalesForce will have set a cookie so in future it knows to redirect the browser to the IdP with a SAML request. The IdP will in turn issue a SAML response for the browser to pass back to SalesForce.

You might find some SalesForce documentation that mentions the ssoStartPage attribute which can be set in the SAML assertion. I found that this wasn’t necessary, and if you look at the cookie you get after an IdP-initiated login you’ll see that ssoStartPage is set to the IdP login URL you specified in the SalesForce SSO configuration.

LogoutURL

You can specify a URL to redirect to when the user logs out by creating a custom claim rule which sends an additional logoutURL attribute.

The custom rule is as follows:

=> issue(Type = "logoutURL", Value = "http://intranet.youcompany.com", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/attributename"] = "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified");

Testing

Alright, so that should be about it. We can now go and set the Federation ID of a SalesForce user to the UPN our own AD user account and see if it all works.

Point your browser to your ADFS IdP-initiated login URL and specify the loginToRp parameter as the SalesForce SAML entity ID.

E.g. https://adfs.testzone.local/adfs/ls/idpinitiatedsignon.aspx?loginToRp=https://saml.salesforce.com

This should redirect you and sign you into SalesForce. If you get a SalesForce login error use the SAML assertion validator tool on the SalesForce single sign-on configuration page. It will display the results of the last failed SAML login.

If you get an error from ADFS then check the ADFS logs in Server Manager\Diagnostics\Applications and Services Logs\ADFS 2.0\Admin. There is also a very good MSDN blog post on ADFS 2.0 diagnostics.

Once you have IdP-initiated login working try SP-initiated. Copy a link from deep inside SalesForce then log out. Reload your browser and paste the in the URL. You should be seamlessly redirected to your IdP, authenticated and then redirected back to the link you requested.

Portal SSO and JIT Provisioning

There’s plenty of good info in the Force.com literature for portal SSO and just-in-time provisioning but here’s some ADFS 2.0 specific stuff. I’ve only been playing with this for a couple of weeks but I’ve had requests for the info so here’s what I’ve got so far. Let me know if I’ve missed something or I’ve got something wrong.

Portal SSO

To do a Portal SSO login you need to send the portal ID and the Org ID as claims using custom claims rules. There is significant caveat though, if you’re using ADFS to do SSO for both full-License and portal users. If you send the Portal ID and the Org ID for a full-license user SalesForce will assume you are trying to log into a portal. This will result in a SAML error because a full-license user can’t also be a portal user. To overcome this you can use a condition in the custom rule so the portal ID and Org ID are only sent if the user is a member of a given Active Directory group. The rules below use the AD group SID which you can find using pstool psgetsid.exe. The advantage of using an SID is that if the group is renamed the SID stays the same.

Send Portal ID

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value =~ "^(?i)S-1-5-21-1458536374-0499464381-951853424-103426$"]
 => issue(Type = "portal_id", Value = "033G00000002a1P");

Send Org ID

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value =~ "^(?i)S-1-5-21-1458536374-0499464381-951853424-103426$"]
 => issue(Type = "organization_id", Value = "01GK00000004ra2");

I haven’t found a way to send send a claim only if a user is not a member of a group, and the ADFS 2.0 claims rules language reference is non-existent! If someone works this out please let me know.

JIT Provisioning

Just-in-time provisioning allows you to create users on the fly with a SAML assertion as they attempt to login. All you need to do is enable JIT in your SSO settings and then send the required attributes. JIT custom claims rules are just like the portal ones above. The SalesForce Single Sign-On Implementation Guide has all the details on what attrbiutes to need to be sent. Here’s a few things to keep in mind:

You can provision and update users into specific profiles or rolls based on Active Directory groups just like with the portal logins above, but you’ll need to manage the AD groups carefully – you couldn’t have a user in multiple groups which represent different SalesForce profiles or rolls
You can provision and update users but you can’t un-provision them. Again you’ll need to use Active directory security groups to determine who can be JIT provisioned and you’ll have to manage your licensees and account De-activations outside JIT
~~JIT can’t be used to provision Portal accounts!~~

*Update* It looks like this has changed and it is now supported. Thanks Tim for pointing this out!

https://login.salesforce.com/help/doc/en/sso_jit_portal_requirements.htm
I found that I couldn’t JIT provision users if chatter wasn’t enabled – still waiting for the word on this from SalesForce

Further Analysis

In case you’re wondering how the browser collects and passes these SAML requests and responses around, we’ll take a closer look at the entire process.

We’ll go over the SP-Initiated login because it has the most steps and really demonstrates SAML and federation at its best. I’ll use screen shots of Fiddler2 to show you exactly what’s happening at each step.

Note* Fiddler messes with Windows integrated authentication to IIS so you’ll need to turn off extended protection on the /adfs/ls/ virtual directory if you want to try this. Otherwise your browser won’t authenticate with ADFS and you’ll see event 4625 with error 0xc000035b in the Windows security log on the ADFS server.

Step 1

The user clicks a direct link to a SalesForce page. The browser connects and SalesForce reads the ssoStartPage attribute from the user’s cookie. SalesForce uses JavaScript to redirect the browser to the SalesForce SAML request generator. The SAML request generator creates a SAML request for the IdP by sending an invisible HTML form with hidden fields back to the browser. It then uses JavaScript to automatically submit the form to the IdP SAML endpoint.

Step 2

The browser submits the HTML form which contains the SAML request to the ADFS SAML endpoint. Since we are using Windows integrated authentication, ADFS redirects the browser to the /auth/ingetrated/ directory at which point a 401 (User must authenticate) is sent. Finally, the user is authenticated using Kerberos and ADFS serves up a SAML response. Again, the SAML message is returned to the browser in an HTML form which is then submitted to the SalesForce SAML endpoint using JavaScript.

Step 3

The browser submits the HTML form which contains the SAML response to the SalesForce SAML endpoint which verifies the SAML assertion, logs the user in and redirects the browser to the original requested URL.

Common Issues & Troubleshooting

Here are some of the issues you might com across. Thanks to everyone who has commented and shared their experience – I’ll keep updating this section.

Federation ID is case sensitive

One thing to watch out for is the Federation ID is case-sensitive. So if this is your organizational email, be sure to enter it exactly as AD FS sends it, or Salesforce won’t be able to find the matching user.

I’ve looked into writing a custom claim rule to normalize the case the lase of the LDAP attribute before sending it but it looks like it’s not possible the claims language doesn’t seem to have any string manipulation except a basic regex replace.

Assertion Expired

An assertion’s timestamp is more than five minutes old.

Note: Salesforce does make an allowance of three minutes for clock skew. This means, in practice, that an

assertion can be as much as eight minutes passed the timestamp time, or three minutes before it. This amount

of time may be less if the assertion’s validity period is less than five minutes.

So make sure your clock as sync’d to a good internet time source.

Conclusion

Well that’s it! Everything you need to know about SalesForce WebSSO with ADFS 2.0.

Federation is really cool, so make sure you encourage its use in your organization instead of older methods involving clunky tightly coupled links and horrible things like allowing your cloud vendor to do LDAP authentication against your domain controllers over VPNs etc!

Thanks for reading and please ask questions, make comments and corrections. I’ll continue to update this post as we go.

Updates

2011/07/30

Added JIT and Portal SSO info
Updated SP-initiated login with ”My Domain” info – Thanks to Pat over at SalesForce for helping out this this

On SALESFORCE.COM you can find the following information with regards to SSO (through federation) and provisioning of users:

Cheers,

Jorge

* DISCLAIMER: http://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

Posted in Active Directory Federation Services (ADFS), SALESFORCE.COM | Leave a Comment »

(2012-05-05) Claims Based Authorization And Federation Explained The Easy Way

Posted by Jorge on 2012-05-05

I found the article below and I thought to post it here also. The credits about this post of course go to the original writer. However, I also took the liberty to make some comments on what the original writer has written. Those comments can be found throughout the text and are specified with [Comment From Jorge].

ORIGINAL SOURCE: SAML WebSSO & Federation Made Easy

This week I found myself on a SalesForce/SAML/Federation journey which turned out to be very enlightening. Until a few days ago I really had no idea how SAML or Federation worked and it took me a few hours to get my head around it, so I’m going to try explain SAML in a way that’s easy to understand.

SAML 2.0 (Security Assertion Markup Language).

2 Companies:

Company A (Service Provider – SP) has a web application
Company B (Identity Provider – IdP) has a database of people who need to access Company A’s application

[Comment From Jorge]: Sometimes an SP is also called a Relying Party (RP) and an IdP is also called Claims Provider (CP). Don’t you just love all those standards!?

We have a few options here:

Company A could create a new database of people with usernames and passwords within the web application
We could synchronize the database of people including their usernames and passwords from Company B (IdP) to Company A (SP)
We could make a link from the web application to Company B’s database of people and do lookups in real-time
We could tell the web application at Company A to trust users who come from Company B

Options 1 through 3 are pretty crappy. Option 4 is called federation and it’s cool.

[Comment From Jorge]: Option 1 and 3 is indeed crappy. However, option 2 may be required when either the Claims Based Application (an application that understands and consumes claims) requires a representation of the user (a so called place holder account or a shadow account), such as for example Office 365, or a Token Based Application (an application that does not understand and also does not consume claims, but rather leverages Windows style authorizations) is being used.

Here’s what happens (part analogy, part reality):

Both companies have a pair of keys. A public key and a private key. Once something is locked with the private key only the corresponding public key can open it. Company A has a copy of Company B’s public key and vice versa.

[Comment From Jorge]: In this case we are talking about the so called token signing certificate (ADFS term, in other federation solutions it may be called differently). Whenever a Security Token Service (STS) issues a security token with all kinds of claims, the issuing STS signs the token with the private key of its token signing certificate. The receiving STS (in this case) or an application, that has a federation trust setup with the issuing STS, verifies the security token received from the issuing STS by using the public key of the issuing STS’s token signing certificate. So, with this I can now say that the federation trust is setup between STS’es through the token signing certificates on either side. The word “lock” used by the original writer is in my opinion incorrectly used. Another possibility is to encrypt the security token for additional protection (this is by the way not mandatory to setup a federation trust), but both sides of the federation must be able to support this. In that case the issuing STS encrypts the security token with the public key of the receiving STS’s encryption certificate and when the receiving STS receives the security token it should be able to decrypt the encrypted security token by using the private key of its token encryption certificate. Again the token encryption (or decryption) certificate term is an ADFS thing. I do not know if its called the same in other federation solutions.

A user in Company B (IdP) tries to access the web application at Company A (SP). The web application looks for a cookie in the user’s browser to see if he is already authenticated, he is not so the web application (SP) redirects the browser to Company B’s IdP, telling him – “Go and get a ticket!”

[Comment From Jorge]: In reality, the application at company A (SP) redirects the user to the STS trusted by the application, which is by the way also the STS at company A (SP). If the STS at company A (SP) already knows the user is coming from company B (IdP) (through information in the user’s cookie) the STS at company A (SP) redirects the user to the STS at company B (IdP). If the STS at company A (SP) does not yet know where the user is coming from, the STS at company A (SP) performs so called home realm discovery (HRD) by asking the user to provide some information that enables the STS to determine where the user is coming from. This can be done by selecting a trusted STS from a list (all configured federation trusts disclosed, but no additional management needed) or by entering the company name or e-mail address (preferred) (no federation trusts are disclosed, but addition management is needed as mappings are needed between e-mail suffixes and trusted STS’es). As soon as the STS at company A (SP) determines where the user is coming from, it redirects the user to the trusted STS from, in this case, company B (IdP).

The browser goes to Company B’s IdP who authenticates the user against Company B’s database of users. The IdP at Company B locks the user’s employee ID with his private key, gives it to the browser and tells him – “Here’s your ticket now go back to the SP you came from!”

[Comment From Jorge]: The so called company B’s (IdP) database of users could be Active Directory (AD). In case of using ADFS v2, it MUST be AD, as ADFS only supports AD as an authentication store. In the case of ADFS v1.x, it can be either AD or ADLDS/ADAM. ADFS v2, however, does support ADLDS as an attribute store. An authentication store is a store that can authenticate a user and an attribute store does not authenticate a user, but may provide additional information in attributes that ADFS can leverage in claims. In this case the STS at the IdP issues the user a security token with claims and signs the security token with the private key from its token signing certificate to prove that the security token was issued by an STS trusted by the receiving STS.

The browser goes back to the web application (SP) at Company A and presents his ticket. The SP uses Company B’s public key to unlock the ticket. The web application says to himself - “It works! This user MUST have come from Company B because otherwise this public key could NOT have unlocked this ticket. And look, the ticket contains an employee ID and I have a rule that says that this employee ID is allowed access!” And so the web application gives the browser a cookie which allows him access.

[Comment From Jorge]: In this case the STS at company B (IdP) redirects the user back where he came from and in this case it is the STS at company A (SP). This STS at company A (SP) checks the security token is indeed from a trusted STS at company B (IdP) by using that trusted STS’s public key from its token signing certificate. When the check is positive, the STS at company A (SP) transforms the claims in the security token in any way as configured and issues a new security token with new claims and it also signs the new security token with the private key from its token signing certificate. It then redirects the user back to the application.

In SAML the ticket is called an Assertion. In this case we sent the Employee ID but any other user-unique attribute could be used, it just needs to be agreed between the 2 parties.

In reality the web application might not support SAML directly but instead maybe protected by a federation product which takes care of the SAML SP stuff. The IdP stuff will also likely be handled by a federation product which is backed by some kind of LDAP directory or maybe SQL. The browser cookie stuff mentioned above is outside the scope of SAML but I included it for completeness – It’s typical of how these things work.

The neat thing about federation is that you don’t need any links between Company A and Company B. Once the federation trust is established everything else takes place “browser to SP” and “browser to IdP” through a series or re-directs and http POSTs.

Ok so that’s SAML. Actually there are a lot more parts to it than that but that’s the way it’s most commonly used today i.e. for WebSSO. Now that you have the concept, you can dig into the technical details.

I found Google’s explanation useful:
http://code.google.com/googleapps/domain/sso/saml_reference_implementation.html

and Wikipedia :

http://en.wikipedia.org/wiki/SAML_2.0

The best way to learn this stuff is to give it a go. Check out Shibboleth which is an open source SAML SP and IdP implementation. I’ve got the Shibboleth SP side talking to ADFS 2.0 as the IdP but I haven’t played with the Shibboleth IdP yet.

Next time I’ll show you how to put SAML to use with Active Directory Federation Services 2.0 and cloud provider SalesForce. In the mean time feel free to ask questions or make corrections.

[Comment From Jorge]: Also have a look at some Microsoft documentation found through the following links:

Posted in Active Directory Federation Services (ADFS) | Leave a Comment »

(2011-10-24) AD FS 2.0 Claims Rule Language Primer From The ASKDS Team

Posted by Jorge on 2011-10-24

The guys from the ASKDS Team Blog have written a great article about the Claims Rule Language in ADFS v2.x. Kudos and credits of course go to the writer of the post on the AskDS Team Blog

SOURCE: AD FS 2.0 Claims Rule Language Primer

<QUOTE SOURCE=”AD FS 2.0 Claims Rule Language Primer”>

Hi guys, Joji Oshima here again. On the Directory Services team, we get questions regarding the Claims Rule Language in AD FS 2.0 so I would like to go through some of the basics. I’ve written this article for those who have a solid understanding of Claims-based authentication.

If you would like to read up on the fundamentals first, here are some good resources.

Claims Rules follow a basic pipeline. The rules define which claims are accepted, processed, and eventually sent to the relying party. You define claims rules as a property of the Claims Provider Trust (incoming) and the Relying Party Trust (outgoing).

Figure 1: Basic Flowchart For The Claims Pipeline Taken From TechNet

There is also an authorization stage checks if the requestor has access to receive a token for the relying party. You can choose to allow all incoming claims through by setting the Authorization Rules to Permit All. Alternately, you could permit or deny certain users based on their incoming claim set. You can read more about authorization claim rules here and here.

You can create the majority of claims issuance and claims transformations using a Claim Rule Template in AD FS 2.0 Management console, but there are some situations where a custom rule is the only way to get the results you need. For example, if you want to combine values from multiple claims into a single claim, you will need to write a custom rule to accomplish that. To get started, I would recommend creating several rules through the Claim Rule Templates and view the rule language generated. Once you save the template, you can click the View Rule Language button from the Edit Rule window to see how the language works.

Figure 2: Configuring A Claim Rule Using The “Transform An Incoming Claim” Rule Template

Figure 3: Viewing The Actual Claims Rule Language

In the screenshot above, the rule translates as follows:

If (there is an incoming claim that matches the type "http://contoso.com/department")

Then (issue a claim with the type "http://adatum.com/department", using the Issuer, Original Issuer, Value, and ValueType of the incoming claim)

The claims "http://contoso.com/department" and "http://adatum.com/department" are URIs. These claims can be in the URN or HTTP format. The HTTP format is NOT a URL and does not have to specifically link to actual content on the Internet or intranet.

Claims Rule Language Syntax

Typically, the claims rule language is structured similarly to an “if statement” in many programming languages.

If (condition is true)

Then (issue a claim with this value)

What this says is “if a condition is true, issue this claim”. A special operator “=>” separates the condition from the issuance statement and a semicolon ends the statement.

Condition statement => issuance statement;

Review some of the claims you created and look at the structure. See if you can pick out each part. Here is the one we looked at in the first section. Let’s break it down in to the basic parts.

Figure 4: Viewing The Actual Claims Rule Language

The “if statement” condition:

c:[Type == http://contoso.com/department]

The special operator:

=>

The issuance statement:

issue(Type = "http://adatum.com/department", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType);

For each rule defined, AD FS checks the input claims, evaluates them against the condition, and issues the claim if the condition is true. You probably notice the variable “C” in the syntax. Think of “C” as an incoming claim that you can check conditions against, and use values from it to add to an outgoing claim. In this example, we are checking if there is an incoming claim that has a type that is “http://contoso.com/department”. We also use the values in this claim to assign the value of Issuer, OriginalIssuer, Value, and ValueType to the outgoing claim.

REMARK: There are exceptions to this that are discussed later (using ADD instead of ISSUE and issuing a claim without a condition statement).

Issue a claim to everyone

In the Claims Rule Language, the condition part is optional. Therefore, you can choose to issue or add a claim regardless of what claims are incoming. To do this, start with the special operator “=>”.

Syntax:

=> issue(type = "http://contoso.com/partner", value = "Adatum");

This syntax will issue a claim type “http://contoso.com/partner” with a value of “Adatum”

You could set similar rules for each Claims Provider Trust so that the Relying Party (or application) can know where the user came from.

Using a Single Condition:

In this example, we will look at a single condition statement. A basic claim rule checks to see if there is an incoming claim with a certain type and if so, issue a claim.

c:[Type == "http://contoso.com/role"]

=> issue(claim = c);

This syntax will check to see if there is an incoming claim with the type “http://contoso.com/role” and, if so, issue the exact same claim going out.

You can create this claim rule using the GUI. Choose the template named “Pass Through or Filter an Incoming Claim” and choose the appropriate incoming claim type.

Figure 5: Configuring A Claim Rule Using The “Pass Through or Filter an Incoming Claim” Rule Template

You may also check for multiple values within your condition statement. For example, you can check and see if there is an incoming claim with a specific value. In the following example, we will check for an incoming claim with the type “http://contoso.com/role” that has the value of “Editors” and, if so, issue the exact same claim.

c:[Type == "http://contoso.com/role", Value=="Editors"]

=> issue(claim = c);

You can create this claim rule using the GUI as well. Choose “Pass Through or Filter an Incoming Claim”, choose the appropriate incoming claim type, select “Pass though only a specific claim value”, then enter the appropriate value.

Figure 6: Configuring A Claim Rule Using The “Pass Through or Filter an Incoming Claim” Rule Template

Using Multiple Conditions:

Say you want to issue a claim only if the user has an Editor and has an Email claim and, if so, issue the Editor Role claim. To have multiple conditions, we will use multiple “C” variables. We will join the two condition statements with the special operator “&&”.

c1:[Type == "http://contoso.com/role", Value=="Editors"] &&

c2:[Type == "http://contoso.com/email"]

=> issue(claim = c1);

The first condition (c1) checks to see if you have an incoming role claim with the value of Editors. The second condition (c2) checks to see if there is an incoming email claim. If both conditions are met, it will issue an outgoing claim identical to the incoming c1 claim.

Combining Claim Values:

Say you want to join information together from multiple incoming claims to form a single outgoing claim. The following example will check for an incoming claim type of "http://contoso.com/location" and “http://contoso.com/role”. If it has both, it will issue a new claim, “http://contoso.com/targeted”, combining the two values.

c1:[Type == "http://contoso.com/location"] &&

c2:[Type == "http://contoso.com/role"]

=> issue(Type="http://contoso.com/targeted", Value=c1.value+" "+c2.value);

The resulting value is the value of the first claim (c1), plus a space, plus the value of the second claim (c2). You can combine static strings with the values of the claims using the special operator “+”. The example below shows a sample set of incoming claims, and the resulting output claim.

Example Incoming Claims:

"http://contoso.com/location" is "Seattle"

"http://contoso.com/role" is "Editor"

Example Outgoing Claim:

"http://contoso.com/targeted" is "Seattle Editor"

Using ADD instead of ISSUE:

As mentioned in an earlier section, you can ADD a claim instead of ISSUE a claim. You may be wondering what the difference between these two statements are. Using the ADD command instead of the ISSUE command will add a claim to the incoming claim set. This will not add the claim to the outgoing token. Use this for adding placeholder data to use in subsequent claims rules.

Figure 7: Processing The Claims Rules Illustration Taken From TechNet

In figure 7 you can see that the first rule adds a role claim with the value of Editor. It then uses this newly added claim to create a greeting claim. Assuming these are the only two rules, the outgoing token will only have a greeting claim, not a role claim.

I’ve outlined another example below.

Sample Rule 1:

c:[Type == "http://contoso.com/location", Value=="NYC"]

=> add(Type = "http://contoso.com/region", Value = "East");

Sample Rule 2:

c:[Type == "http://contoso.com/location", Value=="LAX"]

=> add(Type = "http://contoso.com/region", Value = "West");

Sample Rule 3:

c1:[Type == "http://contoso.com/location"] &&

c2:[Type == "http://contoso.com/region"]

=> issue(Type="http://contoso.com/area", Value=c1.value+" "+c2.value);

In this example, we have two rules that ADD claims to the incoming claim set, and one that issues a claim to the outgoing claim set. This will add a region claim to the incoming claim set and use that to create combine the values to create an area claim. The ADD functionality is very useful with the next section for aggregate functions.

Using aggregate functions (EXISTS and NOT EXISTS):

Using aggregate functions, you can issue or add a single output claim instead of getting an output claim for each match. The aggregate functions in the Claims Rule Language are EXISTS and NOT EXISTS.

Say we want to use the location claim, but not all users have it. Using NOT EXISTS, we can add a universal location claim if the user does not have one.

In Sample Rule 1, we will add a location claim with the value of “Unknown” if the user does not have a location claim. In Sample Rule 2, we will use that value to generate the “http://contoso.com/targeted” claim.

Sample Rule 1:

NOT EXISTS([Type == "http://contoso.com/location"])

=> add(Type = "http://contoso.com/location", Value = "Unknown");

Sample Rule 2:

c1:[Type == "http://contoso.com/location"] &&

c2:[Type == "http://contoso.com/role"]

=> issue(Type="http://contoso.com/targeted", Value=c1.value+" "+c2.value);

This way, users without the "http://contoso.com/location" claim can still get the "http://contoso.com/targeted" claim.

Claims Rule Language, beyond this post:

There is more you can do with the Claims Rule Language that goes beyond the scope of this blog post. If you would like to dig deeper by using Custom Attribute Stores and using Regular Expressions in the language, I’ve put up a TechNet Wiki article that contains these advanced topics and other sample syntax. In addition, some other articles may help with these topics.

Conclusion:

Creating custom rules with the Claims Rule Language gives you more flexibility over the standard templates. Syntax familiarization takes a while, but with some practice, you should be able to write custom rules in no time. Start by writing custom rules instead of using the templates in your lab environment and build on those.

Joji “small claims court” Oshima

</QUOTE SOURCE=”AD FS 2.0 Claims Rule Language Primer”>

Posted in Active Directory Federation Services (ADFS) | Leave a Comment »

(2011-10-24) Configuring The New Five Claim Types In ADFS After Installing Rollup Package 1 For ADFS v2.0

Posted by Jorge on 2011-10-24

As I mentioned in this blog post, Microsoft has released a rollup package 1 for ADFS v2.0 which introduces 5 new claim types. However, right after installing the rollup package, rebooting the servers (ADFS STS(s) and ADFS PRX(s), if applicable) and opening the ADFS v2.0 MMC you do not see the new claim types as you might expect. Below you see the result on my ADFS v2.0 STS box after installing the rollup package 1. And as you can see the 5 new claim types are not available.

REMARK: All the other claim types you do not recognize, were created by me as custom claim types.

Figure 1: Claim Types (a.k.a. Claim Descriptions) In ADFS v2.0 (Default And Custom)

It turns out the new Claim Types are not created automatically. Therefore YOU must create them within ADFS v2.0.

For every new Claim Type you must specify the following information:

Display Name (mandatory)
Claim Identifier(mandatory)
Description(optional)
Selection Of “Publish this claim description in federation metadata as a claim type that this Federation Service can accept” (optional)
Selection Of “Publish this claim description in federation metadata as a claim type that this Federation Service can send” (optional)

Figure 2: Creating A New Claim Type/Description Within ADFS v2.0

In the end my the new Claim Types/Descriptions look like as shown below:

Figure 3: Claim Types (a.k.a. Claim Descriptions) In ADFS v2.0 (Default And Custom) Now Including The New Claim Types/Descriptions

In a Sharepoint 2010 webpart that lists all the claims issued you can see the user passed through the ADFS Proxy and is therefore external to the company network. The value shows the NetBIOS name of the ADFS Proxy Server and just by the presence of the claim you can make additional decisions in for example the Issuance Authorization Rules.

Figure 4: Issued Claim Types Listed By A Sharepoint 2010 WebPart – Showing The ID Passed Through An ADFS Proxy Server

Remember that because this claim is included it does not mean it is an external user, it could be though! However, an internal user outside of the internal network that also passes through the ADFS Proxy Server also gets this claim!

REMARK: also check out the following post “Limiting Access to Office 365 Services Based on the Location of the Client”

Posted in Active Directory Federation Services (ADFS) | Leave a Comment »

(2011-10-15) Update Rollup 1 For ADFS v2.0 Has Been Released

Posted by Jorge on 2011-10-15

Microsoft has released update rollup 1 for ADFS v2.0. This rollup contains both bug fixes and additional capabilities. Read all the details by clicking on the following link Description of Update Rollup 1 for Active Directory Federation Services (AD FS) 2.0.

In summary:

Resolves Bug fixes
Feature: No ADFS v2.0 instance needed for every UPN suffix used in Office 365. Single ADFS v2.0 instance supports multiple UPN suffixes for Office 365
Feature: 5 new location based (source or destination or both) claim types

Feature: Congestion Avoidance Algorithm
Feature: Additional ADFS v2.0 Performance Counters

Outstanding Token Requests
Rejected Token Requests
Rejected Token Requests/sec
Token Request Latency
Failed U/P authentications
Failed U/P authentications per Second

Posted in Active Directory Federation Services (ADFS), Updates | 1 Comment »

« Previous Entries

Jorge's Quest For Knowledge!

All about Windows Server, ADDS, ADFS & ILM/FIM (It is just like an addiction, The more you have, the more you want to have!)

Profiles

Statistics

Other Cool Blogs

Interesting Places To Visit

The Knowledge Archives

RSS Links

Email Subscription

Categories

Archive for the ‘Active Directory Federation Services (ADFS)’ Category

(2012-05-25) Update Rollup 2 For ADFS v2.0 Has Been Released

(2012-05-11) Installing And Configuring ADFS v2 As A PRX Server

(2012-05-10) Installing And Configuring ADFS v2 As An STS Server (Part 3)

(2012-05-09) Installing And Configuring ADFS v2 As An STS Server (Part 2)

(2012-05-08) Installing And Configuring ADFS v2 As An STS Server (Part 1)

(2012-05-06) Setting Up SALESFORCE.COM With ADFS v2.0

Install

Configuration

Testing

Further Analysis

Common Issues & Troubleshooting

Conclusion

(2012-05-05) Claims Based Authorization And Federation Explained The Easy Way

(2011-10-24) AD FS 2.0 Claims Rule Language Primer From The ASKDS Team

(2011-10-24) Configuring The New Five Claim Types In ADFS After Installing Rollup Package 1 For ADFS v2.0

(2011-10-15) Update Rollup 1 For ADFS v2.0 Has Been Released

All about Windows Server, ADDS, ADFS & ILM/FIM (It is just like an addiction, The more you have, the more you want to have!)

Profiles

Statistics

Other Cool Blogs

Interesting Places To Visit

The Knowledge Archives

RSS Links

Email Subscription

Categories

Archive for the ‘Active Directory Federation Services (ADFS)’ Category

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Install

Configuration

Testing

Further Analysis

Common Issues & Troubleshooting

Conclusion

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this: