Successfully reported this slideshow.

Twobo LDAP Attribute Store for ADFS

1,433 views

Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Twobo LDAP Attribute Store for ADFS

  1. 1. Twobo LDAP Attribute Store for ADFS Using ADFS with LDAP servers that don’t support Windows authentication Copyright © 2013 Twobo Technologies AB. All rights reserved
  2. 2. Agenda  Limitations and restrictions of ADFS 2  Possible workarounds  Alternatives   Open source From Twobo  Installation and use Copyright © 2013 Twobo Technologies AB. All rights reserved
  3. 3. Restrictions in ADFS 2 Out-of-the-box LDAP attribute store requires Windows authentication “When you work with other Lightweight Directory Access Protocol (LDAP)-based attribute stores [besides AD], you must connect to an LDAP-capable server that supports Windows Integrated Authentication” -- TechNet (http://bit.ly/1bWt3rn) Copyright © 2013 Twobo Technologies AB. All rights reserved
  4. 4. Workarounds 1. Enable Windows Authentication on the LDAP server 2. Connect ADFS to some other IP-STS and use ADFS as an FPSTS only 3. Use an alternative LDAP attribute store that supports other authentication schemes Copyright © 2013 Twobo Technologies AB. All rights reserved
  5. 5. Open Source LDAP Attribute Stores A few open source options available  Limited features (purpose built)  Limited testing  Unproven  Undocumented  Unsupported  None with communities Copyright © 2013 Twobo Technologies AB. All rights reserved
  6. 6. Twobo LDAP Attribute Store  Supports simple and anonymous bind  Supports multi-value attributes  Supports decoding binary data fields based on various encodings  Supports LDAPS  Works with ADFS 2.0 and 2.1  Better documentation  Rule-specific scope and search base  Commercially supported by a security company Copyright © 2013 Twobo Technologies AB. All rights reserved
  7. 7. Configuration  Normal attribute store configuration   Use ADFS cmdlets Use ADFS Management Console Copyright © 2013 Twobo Technologies AB. All rights reserved
  8. 8. Configuration Options Setting servername* defaultRoot* port defaultScope secured password username encoding Description Name or IP of LDAP server Default search location Port of LDAP server Default search scope Use of LDAP or LDAPS Password used when binding Username used when binding Code page to use when decoding binary data Copyright © 2013 Twobo Technologies AB. All rights reserved
  9. 9. Using the Attribute Store  Use with custom rules wherever ADFS allows (issuance, authorization, etc.) Copyright © 2013 Twobo Technologies AB. All rights reserved
  10. 10. Typical Issuance Rule c:[Type == "http://schemas.xmlsoap.org/.../upn"] => issue(store = "2BOLDAP", types = ("http://schemas.xmlsoap.org/.../emailaddress", Input claim Store name "http://schemas.xmlsoap.org/.../privatepersonalidentifier"), query = "uid={0}mail,uid", param = c.Value); Substitution value Copyright © 2013 Twobo Technologies AB. All rights reserved Attributes in LDAP LDAP filter Output claims
  11. 11. When User IDs Don’t Match 1. Add a new input claim from AD Copyright © 2013 Twobo Technologies AB. All rights reserved
  12. 12. When User IDs Don’t Match 2. Derive it using an “add” rule followed by an “issue” Copyright © 2013 Twobo Technologies AB. All rights reserved
  13. 13. Example of an “Add” Rule c:[Type == "http://schemas.microsoft.../windowsaccountname"] => add(Type = "_uname", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = regexreplace( c.Value, "(?<domain>[^]+)(?<user>.+)", "${user}"), ValueType = c.ValueType); Copyright © 2013 Twobo Technologies AB. All rights reserved
  14. 14. Example of an “Add” Rule c:[Type == "_uname"] => issue(store = "2BOLDAP", types = ("http://schemas.xmlsoap.org/.../emailaddress", "http://schemas.xmlsoap.org/.../privatepersonalidentifier"), query = "uid={0}mail,uid", param = c.Value); Copyright © 2013 Twobo Technologies AB. All rights reserved
  15. 15. Example of Non-default Base and Scope c:[Type == "_uname"] => issue(store = "2BOLDAP", types = ("http://schemas.xmlsoap.org/.../emailaddress", "http://schemas.xmlsoap.org/.../privatepersonalidentifier"), query = "uid={0}mail,uidou=People,dc=example,dc=comSubtree", param = c.Value); Rule-specific search base Copyright © 2013 Twobo Technologies AB. All rights reserved Rule-specific search scope
  16. 16. Example of Retrieving a Disguised Name c:[Type == "_uname"] => issue(store = "2BOLDAP", types = ("http://schemas.xmlsoap.org/.../emailaddress", "http://schemas.xmlsoap.org/.../privatepersonalidentifier"), query = "uid={0}distinguishedName", param = c.Value); Copyright © 2013 Twobo Technologies AB. All rights reserved Distinguished name can be treated as an attribute though it is not; “dn” works as well.
  17. 17. Tested Systems  LDAP Servers     OpenLDAP using anonymous bind and simple bind with and without SSL (on Linux) AD LDS using simple bind (on W2K8 R2) Siemens DirX Directory using simple bind with and without SSL (on *NIX) ApacheDS using simple bind (on Linux)  ADFS   2.0 2.1 Copyright © 2013 Twobo Technologies AB. All rights reserved
  18. 18. Questions & Thanks @2botech Copyright © 2013 Twobo Technologies AB. All rights reserved www.2botech.com

×