Comments (6)
redhook62
commented on July 28, 2024
Hello,
I don't really understand your log.
But are you using the new feature of ADFS 2016 used to declare a new local provider (an LDAP 3.0 repository) ?
If Yes, have you configured it ?
Sample PowerShell Code to create a new local provider (LDAP 3.0 Repo)
If used these kind of script to add my Synolgy NAS as Local Provider
Get-AdfsLocalClaimsProviderTrust
Remove-AdfsLocalClaimsProviderTrust -TargetName Synology
$idStoreAccountUserName = "uid=root,cn=users,dc=contoso,dc=com"
$idStoreAccountPassword = "yourpassword" | ConvertTo-SecureString -asPlainText -Force
$DirectoryCred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $idStoreAccountUserName, $idStoreAccountPassword
If Using SSL
$Directory = New-AdfsLdapServerConnection -HostName "ldap.contoso.com" -Port 636 -SslMode SSL -AuthenticationMethod Basic -Credential $DirectoryCred
If not using SSL
$Directory = New-AdfsLdapServerConnection -HostName "ldap.contoso.com" -Port 389 -SslMode None -AuthenticationMethod Basic -Credential $DirectoryCred
Attributes mapping
$GivenName = New-AdfsLdapAttributeToClaimMapping -LdapAttribute givenName -ClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"
$Surname = New-AdfsLdapAttributeToClaimMapping -LdapAttribute sn -ClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
$CommonName = New-AdfsLdapAttributeToClaimMapping -LdapAttribute cn -ClaimType "http://schemas.xmlsoap.org/claims/commonname"
$Email = New-AdfsLdapAttributeToClaimMapping -LdapAttribute email -ClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
$WindowsAccount = New-AdfsLdapAttributeToClaimMapping -LdapAttribute uid -ClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"
Local Claims Provider Creation
Add-AdfsLocalClaimsProviderTrust -Name "Synology" -Identifier urn:synology:contoso:com -Type Ldap -LdapServerConnection @($Directory) -UserObjectClass inetOrgPerson -UserContainer "cn=users,dc=contoso,dc=com" -LdapAuthenticationMethod Basic -AnchorClaimLdapAttribute mail -AnchorClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" -LdapAttributeToClaimMapping @($GivenName, $Surname, $CommonName, $Email, $WindowsAccount) -AcceptanceTransformRules "c:[] => issue(claim = c);" -Enabled $true -OrganizationalAccountSuffix @("contoso.com)
Attribute Store
Add-ADFSAttributeStore -Name Synology -TypeQualifiedName "Neos.IdentityServer.AttributeStore.LDAP, Neos.IdentityServer.Ldap.AttributeStore, Version=1.1.0.0, Culture=neutral, PublicKeyToken=175aa5ee756d2aa2" -Configuration @{"servername" = "ldap.contoso.com" ; "port" = "389" ; "username" = "uid=root,cn=users,dc=contoso,dc=com" ; "password" = "password" ; "secured" = "false" ; "root" = "dc=contoso,dc=com"}
ADFS Sample Claims
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"] => issue(store = "Synology", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"), query = "(uid={0});mail,mail", param = c.Value );
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"] => issue(store = "Synology", types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/role"), query = "(memberUid={0});cn", param = regexreplace(c.Value, "(?<domain>[^\\]+)\\(?<user>.+)", "${user}"), param = c.Value);
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"] => issue(claim = c);
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname" => issue(claim = c);
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "urn:synology:contoso:com"] => issue(store = "Synology", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"), query = ";uid,,mail;{0}", param = c.Value);
Attribute Store Extension Sample
Neos.IdentityServer.Ldap.AttributeStore.zip
from adfsmfa.
Bastien-RB
commented on July 28, 2024
Hello
My LDAP working without MFA, AD working with MFA in AD MODE
In SQL MODE AD and LDAP dont work
I configured MY ldap like you exept I didnt do this step Attribute Store.
I didnt see this step on this doc
https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-to-authenticate-users-stored-in-ldap-directories
My ldap Config
_
$ldapuser = "uid=admin,ou=system"
$ldappassword = ConvertTo-SecureString -String "PASSWORD" -AsPlainText -Force
$DirectoryCred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $ldapuser,$ldappassword
$EXTDirectory = New-AdfsLdapServerConnection -HostName LDAPSERVER -Port 10389 -SslMode None -AuthenticationMethod Basic -Credential $DirectoryCred
$DisplayName = New-AdfsLdapAttributeToClaimMapping –LdapAttribute displayName –ClaimType "http://temp.org/identity/claims/displayName"
$CommonName = New-AdfsLdapAttributeToClaimMapping -LdapAttribute cn -ClaimType "http://schemas.xmlsoap.org/claims/CommonName"
$email=New-AdfsLdapAttributeToClaimMapping -LdapAttribute mail -ClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email"
$Surname = New-AdfsLdapAttributeToClaimMapping -LdapAttribute sn -ClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
Add-AdfsLocalClaimsProviderTrust -Name "EXTERNAL" -Identifier "urn:EXTERNAL" -type ldap -ldapserverconnection $EXTDirectory
-UserObjectClass inetOrgPerson -UserContainer "ou=People,o=external" -LdapAuthenticationMethod basic
-AnchorClaimLdapAttribute mail -AnchorClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"
-AcceptanceTransformRules "c:[] => issue(claim=c);" -Enabled $true -LdapAttributeToClaimMapping @($email, $DisplayName, $CommonName, $Surname)
_
from adfsmfa.
redhook62
commented on July 28, 2024
Hello,
Yes Attribute Store is an old feature for ADFS and it's optional (only if you want more attributes for claims).
We have just, tested with SQL-Server, we have no problems. it works as well !
As you describe in first, it seems not related to MFA, but are you sure that your LDAP configuration is working ?
Does you configuration run as well, with LDAP Provider removed ?
Get-AdfsLocalClaimsProviderTrust
Remove-AdfsLocalClaimsProviderTrust -TargetName EXTERNAL
I don't see, in your script declaration for UPN
AnchorClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn
MFA require this claim (see : Neos.IdentityServer.Multifactor.AdapterMetadata.cs)
Your are mapping email attribute to WindowsAccountName Claim. this is wrong !
You must map email attribute to UPN as AnchorClaimType.
Remember, the UPN is always the identity claims in federation context
Lest us Know, if this can resolve your problem
Regards
from adfsmfa.
Bastien-RB
commented on July 28, 2024
Hello,
I have change the ANchorClaimType :
Add-AdfsLocalClaimsProviderTrust -Name "EXTERNAL" -Identifier "urn:EXTERNAL" -type ldap -ldapserverconnection $EXTDirectory
-UserObjectClass inetOrgPerson -UserContainer "ou=People,o=external" -LdapAuthenticationMethod basic
-AnchorClaimLdapAttribute mail -AnchorClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"
-AcceptanceTransformRules "c:[] => issue(claim=c);" -Enabled $true -LdapAttributeToClaimMapping @($email, $DisplayName, $CommonName, $Surname)
It's OK for AD , but I have an another error with LDAP (LDAP its OK without MFA)
Encountered error during federation passive request.
Additional Data
Protocol Name:
wsfed
Relying Party:
https://monapp.mestests.org/sampapp/
Exception details:
System.IO.InvalidDataException: The identity information provided does not contain a Windows account name.
at Microsoft.IdentityServer.Web.Authentication.External.ExternalAuthenticationHandler.ProcessContext(ProtocolContext context, IAuthenticationContext authContext, IAccountStoreUserData userData)
at Microsoft.IdentityServer.Web.Authentication.External.ExternalAuthenticationHandler.Process(ProtocolContext context)
at Microsoft.IdentityServer.Web.Authentication.AuthenticationOptionsHandler.Process(ProtocolContext context)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)
from adfsmfa.
Bastien-RB
commented on July 28, 2024
It's ok,
I add uid dans mon LDAP mapped sur windowsaccount its ok now, thx for your help
Do you sell support on this solution ?
from adfsmfa.
redhook62
commented on July 28, 2024
Hi, this project is open source, and we are going to push regulary new versions.
But, if you really want to have a support, contact neos-sdi (in french).
Regards
from adfsmfa.
Related Issues (20)
- Adfs wap issue HOT 34
- MFA Login is denied - Password expired HOT 2
- Disable automatic User Import HOT 11
- Fresh install breaks ADFS completely (adfssrv fails to start: error code 1067) HOT 9
- Prevent forrest wide User Lookup? (MMC and cmdlet long loading time) HOT 2
- MFA Not working on clustered ADFS with MDA HOT 5
- Unable to update e-mail Templates HOT 2
- Issue sending email - requires tls 1.2 HOT 4
- Timeouts if primary ADFS member is not online (Event ID 2011/1011) HOT 9
- MFA new domain in forest HOT 2
- MMC Crash HOT 5
- Initial MFA page shows with delay HOT 1
- PowerShell Add-MFAUsers - Error adding user not found HOT 6
- Login Password issue HOT 5
- The MFA wizard is skipped. HOT 8
- "The process cannot access the file" when trying to run Register-MFASystem HOT 4
- Register-MFASystem - BUG
- Operation Completed Successfully HOT 1
- Biometric auth - Requested value '00000000-0000-0000-0000-000000000000' was not found. HOT 7
- Email provider HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from adfsmfa.