0

I am trying to add the custom Attributes via the SQL, and I'm following the steps on [https://blogs.technet.microsoft.com/vinitt/2013/04/15/how-to-use-to-custom-sql-attribute-store-to-generate-claims-and-authorize-user]

I got the SQL Server setup, with the table 'attributes', but then I get to the step where it talks about the relaying party trust... Just edit the non-existent relaying party trust. (Application is working correctly right now, it is a website using ADFS to provide the Authentication, but not the authorization) - I had code for the API side to query the database and add Claims on the fly, but that only works for the server side code, we really need those claims in the JWT.

So, looking at this article everything looked great. I got the SQL Server, and I just need to add the rule to hit the server once the person's logon is validated.

Sounds like a piece of cake, but there is no where to add the claim rule - as I don't have (or need?) any relaying party trust - this can be handled 100% by the AD FS Server, so no need for any relaying. I tried to add one, but couldn't get past the first question. Guessed on that one, and couldn't get past the 2nd question. At this point I gave up... I doubt that entering random data into the form is going to work.

Can someone tell me how to add this? Please note: this is NOT a sharepoint site, and has nothing to do with Sharepoint. It is a .Net Site running an angular application that redirects to the ADFS Server and gets redirected back with the token..

So, anything wrong with this claim Rule:

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"]
 => issue(store = "SQL", types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/role"), query = "SELECT role from dbo.ADFS_attributes where logon={0}", param = c.Value);

Specifically, the attributes table has logon and role, and I'm trying to create roles based on records for that user. (In this case, it should create one per each result (I hope))

I've tried to change this to 'select 'Admin' role' in order to just always return a role to use, but that doesn't work either. I don't see any errors in the event log, just nothing... no change to the JWT that comes back.. (Still the same number of claims) - I can't even seem to add 'email' as a pass through claim, so I'm missing something here, or else, it is missing something here.. I don't know what.

OK, to make SURE this was working, I added the following claim rule:

 => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/role", Value = "Admin");

Yep, added it right to the Active Directory Provider trust, so it would Always add the 'Admin' role. Nada.

I added it directly to the 'Web Application' / Issuance Transformation Rules, so there is no chance that it wouldn't be added.... Nope, nothing.

I also verified that the 'role' was in the claim description, and checked to publish as both accepted and sent...

Still getting the same old 10 items in the JTW that I always got..

Oh, and I tried restarting the 'Active Directory Federation Services' service... And marked 'clear browser cache' when the debugger is up on the web page.

Sounds like ADFS just doesn't actually work, or none of the claims rules run. Is there a global setting somewhere that says 'enable custom rules' that needs to be turned on?

Traderhut Games
  • 1,222
  • 1
  • 15
  • 30
  • Oh, also, I'm trying to add multiple roles, so I'm hoping that if the claim rule returns multiple values, that will work correctly - creating one claim per match... (that is step 2, once I get this returning a single claim) – Traderhut Games Aug 01 '18 at 23:39
  • I'd love to know why the down-vote. – Traderhut Games Aug 02 '18 at 15:41
  • Attempting to add the SQL Claim rules to the 'Issuance Transformation Rules' on the Web Application Property, but no effect, get the same JWT created... (Using openid for the client permissions) – Traderhut Games Aug 02 '18 at 18:51

2 Answers2

1

This is a better article since it doesn't reference SharePoint.

Also the rules should be "issue" rather than "add".

On the RP side, add the claims rules.

You need a RP trust because this is the application that is going to get the claims rules.

To add a RP trust manually, refer this.

Also, you mention JWT? What protocol are you using? SAML? OpenID Connect?

rbrayb
  • 46,440
  • 34
  • 114
  • 174
  • I wasn't the one that setup the ADFS, It appears to be using OpenID, you check the JWT, if invalid, redirect to the adfs site to get a new one issued and it redirects back. I'm not 100% sure if it is configured correctly. It appears that I can add claims rules on the Claims Provider Trust, (on the Active Directory trust). I'm just the guy who was asked to fix this.. – Traderhut Games Aug 02 '18 at 15:50
0

Turns out that you can add the rules to the 'Application Group' / "Web Application", and select the "Issuance Transform Rules" and add your SQL Claim rule there:

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"] => issue(store = "SQL", types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/role"), query = "SELECT role from dbo.ADFS_attributes where logon={0}", param = c.Value);

This allows you to add multiple roles if you have multiple roles.

The primary reason I wasn't seeing this was that the UI that was put on this was (somehow) posting a different token (without my roles) back to the API Server. I'm looking into where it got that token, why the token wasn't validated, (didn't come from the server, or it would have had my roles added)... Very strange,

Solved the issue by using PostMan to post to the server and then looked at the returned JWT that was good...

It seems that all JWT signing verification wasn't done by the last person...

Traderhut Games
  • 1,222
  • 1
  • 15
  • 30