Configure OpenLDAP as a Claims Provider in Active Directory Federation Services (ADFS)
This topology will be used in this tutorial:
Pre-requisites:
- Windows Server 2022:
- Basic Configuration such as Network Configuration and Hostname are configured
- Active Directory Domain Service is installed along with DNS Service
- DNS zones are exist (In this tutorial, We use 2 domains (hades.org and hades.net)
- DNS record for each server and for ADFS service are exist
- Active Directory Federation Service (ADFS) is installed and ADFS farm is configured
2. Ubuntu Server 22.04:
- Basic Configuration such as Network Configuration and Hostname are configured
- OpenLDAP is installed and admin user is configured (In this tutorial, We don’t need LDAPS)
- Create one or two users in LDAP for testing. Make sure to include these attributes:
- objectClass: inetOrgPerson
- cn
- sn
- givenName
- (Optional) Disable anonymous binding as basic security measure.
3. Client:
- Use GUI operating system with GUI web browser (with javascript support) installed.
- Trust the Certificate Authority (CA) that issuing SSL certificate for ADFS,or You can simply ignore the certificate warning while doing the client side testing.
For this tutorial, these values are configured and will be used:
- Windows server 2022 FQDN:
adds.hades.org - Ubuntu Server 22.04 FQDN:
ldap.hades.net - DNS service A record for ADFS:
adfs.hades.org - LDAP admin DN:
CN=admin,DC=hades,DC=net - LDAP admin Password:
Passw0rd$ - LDAP user DN (for testing purpose):
CN=james,DC=hades,DC=net - LDAP user mail attribute (for testing purpose):
james@hades.net
Assuming the pre-requisites have been achieved, the configuration will be done in Windows Server. We’ll work with Administrator Powershell. Steps to configure:
- Enable
IdpInitiatedSignon. We need this so We can test the ADFS login without Relying Party Trust or Server Application configured
Set-AdfsProperties -EnableIdpInitiatedSignon $true- Define variables to store LDAP admin DN, LDAP admin password (as secure string), and create a powershell credential based on those variables
$ldapadmindn = "CN=admin,DC=hades,DC=net"
$ldapadminpassword = ConvertTo-SecureString -AsPlainText -Force 'Passw0rd$'
$ldapcredential = New-Object System.Management.Automation.PSCredential -ArgumentList ($ldapadmindn, $ldapadminpassword)- Define LDAP connection using LDAP credential that has been defined before. Store this connection to a variable.
$ldapconnection = New-ADFSLdapServerConnection -HostName ldap.hades.net -Port 389 -SslMode None -AuthenticationMethod Basic -Credential $ldapcredential- Define variables for LDAP attributes mapping to claims. Here, We’ll map them like this:
-givenName=>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
-sn=>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
-cn=>http://schemas.xmlsoap.org/claims/CommonName
$GivenName = New-ADFSLdapAttributeToClaimMapping -LdapAttribute givenName -ClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"
$Surname = New-ADFSLdapAttributeToClaimMapping -LdapAttribute sn -ClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
$CommonName = New-ADFSLdapAttributeToClaimMapping -LdapAttribute cn -ClaimType "http://schemas.xmlsoap.org/claims/CommonName"To see more available claims (For another attributes mapping), Issue this command:
Get-ADFSClaimDescription- Using all defined variables above, create a new ADFS Local Claims Provider Trust that will connect to OpenLDAP service. We need to define an anchor attribute to claim mapping other than mappings defined above. Here, We’ll use this anchor attribute to claim mapping:
-mail=>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn
We also need to define Issuance Transform Rules. Here, We’ll passtrough all claims as Issuance Transform Rules.
Add-ADFSLocalClaimsProviderTrust -Name "Hades Network LDAP" -Identifier "urn:hades-net-ldap" -Type Ldap -LdapServerConnection $ldapconnection -UserObjectClass inetOrgPerson -UserContainer "DC=hades,DC=net" -LdapAuthenticationMethod Basic -AnchorClaimLdapAttribute mail -AnchorClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" -LdapAttributeToClaimMaping @($GivenName, $Surname, $CommonName) -AcceptanceTransformRules 'c:[Type != ""] => issue (claim=c);' -Enabled $true- Make sure there is no error while running above commands. Verify the result by showing Local Claims Provider Trust. Make sure the LDAP Claims Provider exists.
Get-ADFSLocalClaimsProviderTrust- For client side testing, Open this URL in a GUI browser:
https://[ADFS-Service-FQDN]/adfs/ls/idpinitiatedsignon.aspxIn this tutorial, We’ll use this URL:
https://adfs.hades.org/adfs/ls/idpinitiatedsignon.aspxAfter opening, the Home Realm Discovery (HRD) page will shows 2 claims provider:
- Active Directory (This is the default claims provider)
- Hades Network LDAP (Or any name You define while adding ADFS Local Claims Provider Trust)
Choose the LDAP claims provider, and then try to login using LDAP credentials. Use user mail (UPN) attribute as username and userPassword attribute as password.
If everything is OK, the authentication will successful and It will redirects to “Sign-In success” page.
References:
