ADFS Custom Rule with Two Attributes

Question

ADFS Custom Rule with Two Attributes

Richard Long 341

We are configuring ADFS (on Server 2012 R2) to support multiple AWS accounts. We plan to leverage an LDAP attribute to determine the user's role, and a second attribute to specify the AWS account number the user should be authenticated to.

We have this working with the user's role populated in an LDAP attribute, but the AWS account number is hardcoded in the claim right now, so we're looking for some guidance getting that put into a claim correctly.

Here is what we are trying:

Get Attributes Claim Rule (Rule template: Send claims using a custom rule)
c1:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> add(store = "Active Directory", types = ("http://temp/variable"), query = ";ad-attribute1;{0}", param = c.Value1);
c2:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> add(store = "Active Directory", types = ("http://temp/variable"), query = ";ad-attribute2;{0}", param = c.Value2);

AWS Role (Rule template: Send claims using a custom rule)
c:[Type == "http://temp/variable"]
=> issue(Type = "https://aws.amazon.com/SAML/Attributes/Role", Value = "arn:aws:iam::" + c.Value2 ":saml-provider/our-adfs,arn:aws:iam::" + c.Value2 ":role/" + c.Value1);

The value we are trying to achieve will be structured like this:
arn:aws:iam::111111111111:saml-provider/our-adfs,arn:aws:iam::111111111111:role/rolename

Pierre Audonnet - MSFT 10,191 Reputation points Microsoft Employee

2021-04-14T01:27:21.433+00:00

Sorry, it is not clear to me at all...

What is the attribute storing the user's rolein AD? And do the user have the same role on all AWS accounts? If not, how do you know what role for what AWS account?
What is the attribute sotring the AWS account in AD?

You want to output to be a concatenation of all roles and accounts? or you want a multi valued claim (that would be easier)?
Richard Long 341 Reputation points

2021-04-14T18:24:30.01+00:00

Thanks for your response. I'll answer your questions in order.

We plan to use the "altSecurityIdentity" attribute to include an AWS Role Name
The users will be dedicated to one AWS account, so no they won't have the same role in all AWS accounts
The "division" attribute will hold the AWS account number

We'd like to pull the values out of those attributes to plug them into a claim that produces a value in the format of an AWS role. We're trying to understand the best approach to accomplish this.
Pierre Audonnet - MSFT 10,191 Reputation points Microsoft Employee

2021-04-20T02:07:07.627+00:00

Well don't use the altSecurityIdentity attribute in AD. It has a specific AD purpose, you'll mess things up by using this one.
Pick something in the extended attribute list or cloud attribute list, or whatever that is not already used by AD for its core mechanism (altSecurityIdentity is used for certificate authentication in AD).

You could just query the 1st attribute, then the 2nd and concatenate the two. Do you want a woriking example for this?
Richard Long 341 Reputation points

2021-05-10T23:50:19.133+00:00

Thanks, I'll use an extended attribute then. I would really appreciate a working example.

Accepted answer

0 additional answers

Your answer

Pierre Audonnet - MSFT 10,191 Reputation points Microsoft Employee

2021-04-14T01:27:21.433+00:00

Sorry, it is not clear to me at all...

What is the attribute storing the user's rolein AD? And do the user have the same role on all AWS accounts? If not, how do you know what role for what AWS account?
What is the attribute sotring the AWS account in AD?

You want to output to be a concatenation of all roles and accounts? or you want a multi valued claim (that would be easier)?
Richard Long 341 Reputation points

2021-04-14T18:24:30.01+00:00

Thanks for your response. I'll answer your questions in order.

We plan to use the "altSecurityIdentity" attribute to include an AWS Role Name
The users will be dedicated to one AWS account, so no they won't have the same role in all AWS accounts
The "division" attribute will hold the AWS account number

We'd like to pull the values out of those attributes to plug them into a claim that produces a value in the format of an AWS role. We're trying to understand the best approach to accomplish this.
Pierre Audonnet - MSFT 10,191 Reputation points Microsoft Employee

2021-04-20T02:07:07.627+00:00

Well don't use the altSecurityIdentity attribute in AD. It has a specific AD purpose, you'll mess things up by using this one.
Pick something in the extended attribute list or cloud attribute list, or whatever that is not already used by AD for its core mechanism (altSecurityIdentity is used for certificate authentication in AD).

You could just query the 1st attribute, then the 2nd and concatenate the two. Do you want a woriking example for this?
Richard Long 341 Reputation points

2021-05-10T23:50:19.133+00:00

Thanks, I'll use an extended attribute then. I would really appreciate a working example.

Answer 1

Pierre Audonnet - MSFT 10,191 Microsoft Employee

Something like this should do the trick:

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> add(store = "Active Directory", types = ("claims:temp/attribute1","claims:temp/attribute2"), query = ";ad-attribute1,ad-attribute2;{0}", param = c.Value);


c1:[Type == "claims:temp/attribute1"] && c2:[Type == "claims:temp/attribute2"]
=> issue(Type = "https://aws.amazon.com/SAML/Attributes/Role", Value = "arn:aws:iam::" + c2.Value ":saml-provider/our-adfs,arn:aws:iam::" + c2.Value ":role/" + c1.Value);

You would need to replace the name of the attribute you are really using in the first rule ad-attribute1 and ad-attribute2 and it is assuming that the final format is what you really need.

Richard Long 341 Reputation points

2021-05-19T18:32:08.553+00:00

Thanks for your help! I appreciate it
Richard Long 341 Reputation points

2021-06-01T02:55:21.447+00:00

I had to make a minor change, but this is what worked. Thanks again for your help

Get Attributes Claim:
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("claims:temp/msDS-CloudExtensionAttribute1","claims:temp/msDS-CloudExtensionAttribute2"), query = ";msDS-CloudExtensionAttribute1,msDS-CloudExtensionAttribute2;{0}", param = c.Value);

AWS Role ADFS Claim:
c1:[Type == "claims:temp/msDS-CloudExtensionAttribute1"] && c2:[Type == "claims:temp/msDS-CloudExtensionAttribute2"]
=> issue(Type = "https://aws.amazon.com/SAML/Attributes/Role", Value = "arn:aws:iam::" + c2.Value + ":saml-provider/our-adfs,arn:aws:iam::" + c2.Value + ":role/" + c1.Value);

Share via

ADFS Custom Rule with Two Attributes

0 additional answers

Your answer