canariecaf / adfstoolkit Goto Github PK

Identify the necessary language specific elements and adopt the recommendation i18n model for the strings where possible.

The configuration should be verified on startup.

Different configurations for different versions.

Assemble scripts/code in such a fashion that the code is efficiently, reliably, authentically, and securely published to PowerShellGallery.com

This is for convenience. Current implementation uses SHA256 fingerprint only WITHOUT colons.
For user usability, it should accept a fingerprint as ouput from openssl

Sometimes the configuration for this toolkit is complex and could be well served for a native interface to gather reference settings for the tool.
These settings could be XML fetched from the web or built into a web GUI that in turn builds the necessary XML
Highly useful items:

• aggregate(s) to be loaded and their validation hashes

Hard to reproduce but when there is a log to disk option selected, these errors may appear:
Add-Content : The process cannot access the file '\globemaster\HomeFolders\cphillips\Documents\gitcontrolled\adfstoolkit\status2.log'
because it is being used by another process.
At \globemaster\HomeFolders\cphillips\Documents\gitcontrolled\adfstoolkit\ADFSToolkit\Private\Write-Log.ps1:267 char:17

•             Add-Content -Path $LogFilePath -Value $FileMessage
  

•             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : WriteError: (\globemaster\H...kit\status2.log:String) [Add-Content], IOException
  • FullyQualifiedErrorId : GetContentWriterIOError,Microsoft.PowerShell.Commands.AddContentCommand

This is the powershell not able to log when eventlog can be used. Likely benign but recorded here for tracking the known issue

The nested module import is not importing the module in the expected fashion and as a module, should not require it's import.
Review the technique and resolve preferably with the module base or by dropping the import technique entirely and rely on the execution environment which may sacrifice the operation of the tool as a delivered zip (or review how to discretely allow for both approaches preferably.)

Some sites may desire multiple aggregates to be loaded.
Expectations around these aggregates are:

• the aggregates shall be validated, at least with the same key
• optionally with a different key per aggregate

Other conditions:

• this should not impact negatively on the caching or hashing technique to detect changes

ADFS has a property Secure hash algorithm found under the Advanced tab in the GUI. It's not populated correct at this moment.

For most of the RP:s that's fine (the default value is correct) but a few need to change and then you have to override the script (change the name to exclude the prefix).

I'm not sure if this value exists in the metadata or if we can use the signature algorithm from the signing certificate. This needs a bit of investigation.

Add Logout endpoint(s) to the SP.
ADFS logout URL = https://[IdP]/adfs/ls/?wa=wsignout1.0
Get the post/redirect URL from metadata

While appveyor can do CI tests, we need to tell it what to test. I propose these minimal ones:

[ ] validate a signed aggregate can be validated
[ ] validate an aggregate fails signature by bad hash value
[ ] validate an aggregate fails validation due to changes within the signed XML

This may require that we bundle sample tainted aggregates such that the tests are performed ok OR that we have the ability to fetch a signed aggregate and THEN attempt to manipulate THAT one (simply adding a character or changing a space should do) to trigger validation failure.

This is similar to the previous question:
No references are made to this function anymore and if it's necessary, it should be migrated to the new naming convention.

If it is not, we should remove it. It may have a key function but no longer needed?

As we use eventlog for our activity, it may be helpful to have some specific cmdlets to assist viewing the log and possibly used to bundle output into a support request.

https://blogs.technet.microsoft.com/heyscriptingguy/2015/10/21/event-log-queries-using-powershell/

Add eduPersonUniqueID ti the default config file...

The discrete filters for a given entity need to:
[ ] migrate out of the Private folder into the config folder since it's a user managed assignment
[ ] be renamed to a more semantic meaning name to clearly identify it

The following line of code in Add-ADFSTk-SPRelyingPartyTrust.sp1 should have better error handling (row 95):
$EntityCategories += $sp.Extensions.EntityAttributes.Attribute | ? Name -eq "http://macedir.org/entity-category" | select -ExpandProperty AttributeValue | % { ...

Í got the following error from Gothernburg University:
select : Property "AttributeValue" cannot be found.
At C:\Program Files\WindowsPowerShell\Modules\ADFSToolkit\0.9.1.40\Private\Add-ADFSTkSPRelyingPartyTrust.ps1:95 char:12
0

• ... ir.org/entity-category" | select -ExpandProperty AttributeValue | % {

•                           ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : InvalidArgument: (Attribute:PSObject) [Select-Object], PSArgumentException
  • FullyQualifiedErrorId : ExpandPropertyNotFound,Microsoft.PowerShell.Commands.SelectObjectCommand

Powershell from powershell galery bakes in a version # into the path for the module. This should either be baked into the working path as a default for convenience for out of the box running.

Going forward, the notion of the working path being created MAY be asked for during the creation of the configuration file in order to create the directory and necessary supporting locations where files live (/cache etc).

[ ] template should contain version of toolkit from powershell module
[ ] user created configuration file should use the MetadataPrefix
[ ] attempt to detect existing config file before overwriting would be helpful to prevent users hurting themselves.

SWAMID needs to add a couple attributes to CoCo.

In the future we should move this kind of changed to Federation specific entity categories.
This change will not affect other federations.

Discovered that on the specific import of an entity there is a cut and past error where EntityBase is used that should instead be entityID.
This prevents individual entities from being added properly.

Attribution to University of Umea with many thanks for the report of the problem.

• SPhash.xml and cache.xml file should be be migrated to a cache directory and not in the root

For some RP:s it would be good to block logins directly in ADFS.

We should discuss if it's a good idea to add configuration for this.

If you have attribute releases with the same source attribute and the attribute releases are limited within a federation. The limit are not allways enforced.

When Powershell code is signed, any of the powershell code to be included requires a code signing block. This means that anything to override and SP setting will break the signature in the current model.

To support an execution policy of remoteSigned externalizing the SP overrides into user controlled space/origin is required.
A known style used by Apache, NGinx, and freeRADIUS will be used. The style is a directory of sites-available (things you can use), and sites-enabled (things actively configured).
Adopting this model allows for flexibility of selecting known configuration for Service Providers/Relying Parties and ingesting all records in sites-enabled will permit easier, more fine grained updates and NOT require a Module reload.

A parent directory set to the version of the Module will be used to do better mitigating Module updates triggering errors in running code.

Functional features required:

• Break out examples in config/get-ADFSTkManualSPSettings.ps1 into a subdirectory in the module 'default'/site-examples using a file-safe naming-convention that ends with .ps1.txt
• when new-ADFSTkConfiguration is executed, do the following:
• force the creation of the following directory structure within C:\ADFSToolkit if it does not already exist:
• the latest version number () and nested within these folders
• config
• cache
• sites-available
• sites-enabled
• sites-disabled
• sites-examples
• copy all *ps1.txt files in /config/default/site-examples into c:\ADFSToolkit\site-examples
  -[ ] update New-ADFSTkConfiguration.ps1 around line 245 to add the enumeration of all ps1 files to be inserted into the array of SP overrides (in the spirit of ingesting the filter of any subfiles tagged *.ps1 in a targeted subdirectory (candidate to be a public Function get-ADFSTUserSPOverrides.ps1.

The act of enabling a service is placing to place a file in sites-available and issue:

publish-ADFSTkSPSettings -name -config /path/config.xml [-refresh] which will:

• attempt to load the given config and named powershell anchored in sites-available

• copy the file into c:\adfstoolkit<module-version>\sites-enabled

• if -refresh is provided it will trigger the issuance of the command import-ADFSTkMetadata for the invocation of the import of that record.

• a log record will be written to the ADFSTk EventLog

• unpublish-ADFSTkSPSettings -name <filename -config /path/config.xml -refresh will:

• attempt to load the given config and named powershell anchored in sites-available

• ask the user 'are you sure' and default to No of file moving from sites-enabled to sites-disabled

• move the file

• if -refresh is provided it will trigger the issuance of the command import-ADFSTkMetadata for the invocation of the import of that record.

• a log record will be written to the ADFSTk EventLog

In the above commands, the notion of which aggregate the entity originates from is important and pivots on the notion of the configuration file to source the aggregate fingerprint. It is plausible that an entityid MAY exist in both but one or the other is tweaked and may need to be reviewed during implementation.

update logging technique to:
[ ] not require logfilepath as a required attribute
[ ] to exclusively use eventlog
[ ] to retain the ability to configure which log via the config directives
[ ] to make code adjustments on validation on import launch and related help text for the command to function as expected

Support for releasing PersistentId

•     $AllSPs | % {
  

•               ~~~
  

  • CategoryInfo : InvalidData: (:) [ForEach-Object], ParameterBindingValidationException
  • FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Microsoft.PowerShell.Commands.ForEachObjectCommand

Needs to do a null check on the set for processing before handling the request for removing entities

Cleanup of the creation/release of Transient Name Id

During the creation of the configuration file, users are asked for the ADFS external DNS name. There is no prevention to detect an IP address as opposed to an FQDN. FQDN's should be used and IP addresses should be prevented.

This enhancement is for sites without an AD schema containing eduPersonAffiliation.
For those we desire the attribute to be handled as follows and configurable in the config file

• allow it to be populated directly from a schema attribute as specified in the config file (e.g. 'member')
• allow it to be populated as a static setting from the configuration file if the schema attribute is not assigned
• allow a mapping of affiliation values to any of the given values to be assigned from a group expression (e.g. student is when user is present in AD group 'isStudent')

it is worth noting that user may be present in multiple groups so we should strive for the calculation to encapsulate building a multivalued array for said members.

mappings on eduPersonAffiliation are applied per Relying Party. This means the mappings are configured 1000's of times for large aggregates. There may be a more clever way to perform the mapping.

We shouldn't have any hard-coded texts in the scripts.
All texts should be fetched from language files.

We should ensure that we create the eventlog type or adhere to the common one that exists. Once there, we should:

[ ] ensure our logging is being written to it
[ ] appropriate log levels are applied (TRACE, DEBUG, INFO, WARN, ERROR, FATAL)

The error when the aggregate cannot be retrieved are really that the file cannot be written to disk and usually as a result of the directory not existing in the working path of the configuration.

This should be improved either with a more valid error or to ensure that the file location exists and if not, throw an error that way.

It should be possible to address transform rule(s) to all SP:s

It should be possible to address transform rule(s) to all SP:s within a domain (ends with *.edu.org or *.sub.edu.org)

This is actually the default behaviour of ADFS but not the actual tool.

A requirement for #4

Scheduled task should not point to specific configuration version.
Move sync-adfstkaggregates to module folder

Let ADFS Toolkit have the possibility to include Federation specific Entity Categories.
If a federation specifies the same Entity Category that are already present in ADFS Toolkit, the federation Entity Category should take over.

If a new version of ADFSTookit introduces changes to the institution configuration the version of the default configurations should increase and we need a cmdlet to upgrade the current institution configuration.

If ADFSTk should be able to use federation specific configuration we need to let the IdP admin choose federation and save that in the institution config file.

attributeResolver eduPersonUniqueID is mapped to norEduPersonLIN

Recommend to be abstracted to XML configuration for attribute mapping

Not a bug, but certainly a magic assignment that doesn't port across regions/directories doing this and would be something to be edited the moment it's needed.

This is what people see when they type get-help. It should be a bit better.

It does not appear to be referenced anymore and is actually 'Get-LiUAnswer' in the file which is also not referenced. If we are not using it should be dropped

If we are, it should migrate to the new naming convention and elaborated on where to use it since it is not referenced anymore.

ADFSTk uses the same SHA1/SHA256 from the signing certificate in the ADFS RP.
This isn't allways right (but it's the ony data we have to work with).

It should be possible to force SHA1/SHA256 from the local configuration.

Change handling of directories for different versions of ADFSTk.

Move institution config to a specific folder, not in a ADFSTk version folder.

When a new configuration is created a new powershell job should be written so that the way to schedule 'the job' is to take said ADFSTkjob.ps1 and schedule that and all the switches and necessary activities will live inside the job itself.

When an aggregate is retrieved and uses SHA256 to sign things, WindowsServer 2012r2 does not have the necessary signature verification suite.

If it is detected as not available, it is possible with Administrator level access to ADD SHA256 signature validation to the host's accepted cryptographic signatures.

The resolution path should:

• attempt to detect this signature validation suite exists
  -- if not, it should be added
• if so, do nothing else.

The parts that populate Attributes and Entity Categories are called when every SP is loading.
Instead of loading those values from disc, make use of global variables.

That will make the Tolkit faster and more reliable.

Added id´s to logging events, easier to search logs