Your SlideShare is downloading. ×
  • Like
Twobo LDAP Attribute Store for ADFS
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Twobo LDAP Attribute Store for ADFS

  • 339 views
Published

 

Published in Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
339
On SlideShare
0
From Embeds
0
Number of Embeds
2

Actions

Shares
Downloads
2
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Twobo LDAP Attribute Store for ADFS Using ADFS with LDAP servers that don’t support Windows authentication Copyright © 2013 Twobo Technologies AB. All rights reserved
  • 2. Agenda  Limitations and restrictions of ADFS 2  Possible workarounds  Alternatives   Open source From Twobo  Installation and use Copyright © 2013 Twobo Technologies AB. All rights reserved
  • 3. Restrictions in ADFS 2 Out-of-the-box LDAP attribute store requires Windows authentication “When you work with other Lightweight Directory Access Protocol (LDAP)-based attribute stores [besides AD], you must connect to an LDAP-capable server that supports Windows Integrated Authentication” -- TechNet (http://bit.ly/1bWt3rn) Copyright © 2013 Twobo Technologies AB. All rights reserved
  • 4. Workarounds 1. Enable Windows Authentication on the LDAP server 2. Connect ADFS to some other IP-STS and use ADFS as an FPSTS only 3. Use an alternative LDAP attribute store that supports other authentication schemes Copyright © 2013 Twobo Technologies AB. All rights reserved
  • 5. Open Source LDAP Attribute Stores A few open source options available  Limited features (purpose built)  Limited testing  Unproven  Undocumented  Unsupported  None with communities Copyright © 2013 Twobo Technologies AB. All rights reserved
  • 6. Twobo LDAP Attribute Store  Supports simple and anonymous bind  Supports multi-value attributes  Supports decoding binary data fields based on various encodings  Supports LDAPS  Works with ADFS 2.0 and 2.1  Better documentation  Rule-specific scope and search base  Commercially supported by a security company Copyright © 2013 Twobo Technologies AB. All rights reserved
  • 7. Configuration  Normal attribute store configuration   Use ADFS cmdlets Use ADFS Management Console Copyright © 2013 Twobo Technologies AB. All rights reserved
  • 8. Configuration Options Setting servername* defaultRoot* port defaultScope secured password username encoding Description Name or IP of LDAP server Default search location Port of LDAP server Default search scope Use of LDAP or LDAPS Password used when binding Username used when binding Code page to use when decoding binary data Copyright © 2013 Twobo Technologies AB. All rights reserved
  • 9. Using the Attribute Store  Use with custom rules wherever ADFS allows (issuance, authorization, etc.) Copyright © 2013 Twobo Technologies AB. All rights reserved
  • 10. Typical Issuance Rule c:[Type == "http://schemas.xmlsoap.org/.../upn"] => issue(store = "2BOLDAP", types = ("http://schemas.xmlsoap.org/.../emailaddress", Input claim Store name "http://schemas.xmlsoap.org/.../privatepersonalidentifier"), query = "uid={0}mail,uid", param = c.Value); Substitution value Copyright © 2013 Twobo Technologies AB. All rights reserved Attributes in LDAP LDAP filter Output claims
  • 11. When User IDs Don’t Match 1. Add a new input claim from AD Copyright © 2013 Twobo Technologies AB. All rights reserved
  • 12. When User IDs Don’t Match 2. Derive it using an “add” rule followed by an “issue” Copyright © 2013 Twobo Technologies AB. All rights reserved
  • 13. Example of an “Add” Rule c:[Type == "http://schemas.microsoft.../windowsaccountname"] => add(Type = "_uname", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = regexreplace( c.Value, "(?<domain>[^]+)(?<user>.+)", "${user}"), ValueType = c.ValueType); Copyright © 2013 Twobo Technologies AB. All rights reserved
  • 14. Example of an “Add” Rule c:[Type == "_uname"] => issue(store = "2BOLDAP", types = ("http://schemas.xmlsoap.org/.../emailaddress", "http://schemas.xmlsoap.org/.../privatepersonalidentifier"), query = "uid={0}mail,uid", param = c.Value); Copyright © 2013 Twobo Technologies AB. All rights reserved
  • 15. Example of Non-default Base and Scope c:[Type == "_uname"] => issue(store = "2BOLDAP", types = ("http://schemas.xmlsoap.org/.../emailaddress", "http://schemas.xmlsoap.org/.../privatepersonalidentifier"), query = "uid={0}mail,uidou=People,dc=example,dc=comSubtree", param = c.Value); Rule-specific search base Copyright © 2013 Twobo Technologies AB. All rights reserved Rule-specific search scope
  • 16. Example of Retrieving a Disguised Name c:[Type == "_uname"] => issue(store = "2BOLDAP", types = ("http://schemas.xmlsoap.org/.../emailaddress", "http://schemas.xmlsoap.org/.../privatepersonalidentifier"), query = "uid={0}distinguishedName", param = c.Value); Copyright © 2013 Twobo Technologies AB. All rights reserved Distinguished name can be treated as an attribute though it is not; “dn” works as well.
  • 17. Tested Systems  LDAP Servers     OpenLDAP using anonymous bind and simple bind with and without SSL (on Linux) AD LDS using simple bind (on W2K8 R2) Siemens DirX Directory using simple bind with and without SSL (on *NIX) ApacheDS using simple bind (on Linux)  ADFS   2.0 2.1 Copyright © 2013 Twobo Technologies AB. All rights reserved
  • 18. Questions & Thanks @2botech Copyright © 2013 Twobo Technologies AB. All rights reserved www.2botech.com