Download Slides - The Experts Conference

adhocjackpotΑσφάλεια

5 Νοε 2013 (πριν από 4 χρόνια και 3 μέρες)

107 εμφανίσεις

Customizing ADFS

Tips, Tricks and Hacks for Better Federation

Joe Kaplan
-

Accenture

Who Am I?


Programmer/Architect,
sort of an “IT guy”


Background in building
web apps, ID
provisioning systems
and PKI stuff using
.NET


ADFS user

Agenda


The Basics: Customizations every ADFS
deployment should do


Making it work with AD/LDS (ADAM)


Custom claims transformations


Hack city!


Alternate authentication


Changing home realm discovery


Adding authorization features


Customized error processing


The Basics: Custom Error Page


Every ADFS deployment needs a custom
error page


This is the ONE customization you MUST
do!


And it is easy…


Before Custom Errors…

And After…

How to add a custom error page

<system.web>


<customErrors mode="On"


defaultRedirect=“/adfs/ls/error.aspx" >



/>


</customErrors>

<httpModules>





</httpModules>


….

</system.web>

“Should Do” Customizations


ADFS looks bad out of box


Add logo/style sheet to:


discoverclientrealm.aspx


FS
-
P clientlogon.aspx


signout.aspx


policy.aspx


your custom error page

Before Stylesheet…

And After…

AD/LDS As an Account Store


ADFS has first class support for AD as an
Account Store


AD/LDS, not so much…


Out of box, you can’t even log in with an
AD/LDS account unless you have deployed
the FS
-
P!


Not clear how to configure the store to make it
work


Not clear how Microsoft expected anyone to
get this to work

Fixing ADFS for AD/LDS


“Borrow”
clientlogon.aspx from
the FS
-
P and replace
the existing one at
/adfs/ls/


Use
userPrincipalName or
displayName as the
“name” attribute


Make sure your app
NC uses a “DC=xxx”
naming pattern


Other AD/LDS Account Store Best
Practices


Don’t combine an AD/LDS account store with an
AD account store


Don’t combine multiple AD/LDS account stores
either (one store/FS)


Don’t forget the SSL/LDAP


Make sure FS app pool identity has read access
to AD/LDS server


AD/LDS FS’s make weird resource FS’s (claims
apps only)


Custom Claims Transforms


Designed extensibility mechanism in
ADFS that allows you to change the
claims at any stage in the pipeline


.NET code assembly that implements a
simple interface


Very VERY powerful!


Use only for good


Keep it secure


At this point, we need an actual developer
(ASP.NET skills)

Claims Transform Challenges


Visual Studio integration does not exist


http://www.joekaplan.net/HowToGetVSNETIntegrationForADFSC
laimsBasedApps.aspx


Documentation does not really exist either


Must be willing to experiment and test


Not much community support

Basics of a Claims Transform

public

interface

IClaimTransform

{



void

TransformClaims
(


ref

SecurityPropertyCollection

incomingClaims
,


ref

SecurityPropertyCollection

corporateClaims
,


ref

SecurityPropertyCollection

outgoingClaims
,


ClaimTransformStage

transformStage
,


string

issuer,


string

target


);

}


How It Works


ADFS calls your transform twice each time a
token is generated


Different claims are populated in each scenario


You can change the claims to whatever you
want


Three primary scenarios:


my account store
-
> my resource app (SSO)


my account store
-
> external FSA (outbound Fed)


external FSA
-
> my resource app (inbound Fed)


Issuer and Target help you figure out which
scenario is happening


Different processing stages allow you to do
different things

TranformTracer Sample

public

void

TransformClaims(


ref

SecurityPropertyCollection incomingClaims,


ref

SecurityPropertyCollection corporateClaims,


ref

SecurityPropertyCollection outgoingClaims,


ClaimTransformStage transformStage,


string

issuer,


string

target)

{


DumpString("
Entered claims transform module
");


DumpString("
Transform stage is
" + transformStage.ToString());


DumpString("
Issuer is
" + issuer);


DumpString("
Target is
" + target);


DumpString("
incoming claims:
");


DumpClaims(incomingClaims);


DumpString("
corporate claims:
");


DumpClaims(corporateClaims);


DumpString("
outgoing claims:
");


DumpClaims(outgoingClaims);

}

Claims Transform Ideas


Directory data transformations


Getting claims from other sources (SQL, etc.)


Adding claims for inbound partner accounts to
make them easier to distinguish or help ensure
token app integration


Generate claims that have no actual extraction


Perform complex mappings not supported by the
UI


Hacks…

Getting Fancy: ADFS Hacks


Alternate authentication


Adding authorization features to ADFS


Home Realm Discovery customization


“Very” custom errors



Alternate Authentication: Basic
Premise


clientlogon.aspx shows that ADFS accepts
WindowsIdentity for logon


AD supports generation of WindowsIdentity via Kerberos
S4U with 2K3 native AD


Thus, if I can get the user’s UPN, I can log in to ADFS
without requiring ADFS or Windows to do the actual
credentials validation


//From clientlogon.aspx in /adfs/ls/auth/integrated/

return

LSAuthenticationObject.BeginLogonClient(


wi
,


cb,


state);


//Kerberos S4U in 2K3 AD allows us to do this...

WindowsIdentity id =
new

WindowsIdentity("
someuser@domain.local
");

Adding Authorization: Basic
Premise


Claims transform executes “in process” in
ASP.NET processing pipeline


Throwing an exception halts the ADFS
processing and shows an error


Claims transform tells you what claims a
user has


Thus: if we establish a policy store which
specifies which claims are required for
which resources, we can prevent tokens
from being issued based on this policy

HRD Customization: Basic Premise


By default, ADFS provides a DataTable of partners to
show


Allows us to redirect to one of them based on input


Thus: We can show different data and provide the value
back to ADFS a different way


LSDiscoveryFormContext dc =


(LSDiscoveryFormContext)LogonServer.FormContext;

RealmList.DataSource = dc.DiscoveryTable;


private

void

ButtonClick(
object

sender, System.EventArgs e)

{


// redirect to the Account logon server


LSAuthenticationObject.Current.RedirectToAccountFederationPartner(...);

}

Very Custom Errors: Basic Premise


ASP.NET supports global error handler
and external error handling via HttpModule


Possible to do custom processing on
errors based on error details (Exception
type and message, etc.)


Thus: Can display different results based
on different errors or perhaps reroute
processing to do something different

Questions?

Additional Resources

www.directoryprogramming.net


Support forum for ADFS admin
and

dev

www.joekaplan.net


My blog, with a few articles that have more
details