Reputation: 1292
Adding custom Claims to ADFS from SQL Server
I am trying to add the custom Attributes via the SQL, and I'm following the steps on [https://blogs.technet.microsoft.com/vinitt/2013/04/15/how-to-use-to-custom-sql-attribute-store-to-generate-claims-and-authorize-user]
I got the SQL Server setup, with the table 'attributes', but then I get to the step where it talks about the relaying party trust... Just edit the non-existent relaying party trust. (Application is working correctly right now, it is a website using ADFS to provide the Authentication, but not the authorization) - I had code for the API side to query the database and add Claims on the fly, but that only works for the server side code, we really need those claims in the JWT.
So, looking at this article everything looked great. I got the SQL Server, and I just need to add the rule to hit the server once the person's logon is validated.
Sounds like a piece of cake, but there is no where to add the claim rule - as I don't have (or need?) any relaying party trust - this can be handled 100% by the AD FS Server, so no need for any relaying. I tried to add one, but couldn't get past the first question. Guessed on that one, and couldn't get past the 2nd question. At this point I gave up... I doubt that entering random data into the form is going to work.
Can someone tell me how to add this? Please note: this is NOT a sharepoint site, and has nothing to do with Sharepoint. It is a .Net Site running an angular application that redirects to the ADFS Server and gets redirected back with the token..
So, anything wrong with this claim Rule:
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"]
=> issue(store = "SQL", types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/role"), query = "SELECT role from dbo.ADFS_attributes where logon={0}", param = c.Value);
Specifically, the attributes table has logon and role, and I'm trying to create roles based on records for that user. (In this case, it should create one per each result (I hope))
I've tried to change this to 'select 'Admin' role' in order to just always return a role to use, but that doesn't work either. I don't see any errors in the event log, just nothing... no change to the JWT that comes back.. (Still the same number of claims) - I can't even seem to add 'email' as a pass through claim, so I'm missing something here, or else, it is missing something here.. I don't know what.
OK, to make SURE this was working, I added the following claim rule:
=> issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/role", Value = "Admin");
Yep, added it right to the Active Directory Provider trust, so it would Always add the 'Admin' role. Nada.
I added it directly to the 'Web Application' / Issuance Transformation Rules, so there is no chance that it wouldn't be added.... Nope, nothing.
I also verified that the 'role' was in the claim description, and checked to publish as both accepted and sent...
Still getting the same old 10 items in the JTW that I always got..
Oh, and I tried restarting the 'Active Directory Federation Services' service... And marked 'clear browser cache' when the debugger is up on the web page.
Sounds like ADFS just doesn't actually work, or none of the claims rules run. Is there a global setting somewhere that says 'enable custom rules' that needs to be turned on?
Upvotes: 0
Views: 3188
Answers (2)
Reputation: 1292
Turns out that you can add the rules to the 'Application Group' / "Web Application", and select the "Issuance Transform Rules" and add your SQL Claim rule there:
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"] => issue(store = "SQL", types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/role"), query = "SELECT role from dbo.ADFS_attributes where logon={0}", param = c.Value);
This allows you to add multiple roles if you have multiple roles.
The primary reason I wasn't seeing this was that the UI that was put on this was (somehow) posting a different token (without my roles) back to the API Server. I'm looking into where it got that token, why the token wasn't validated, (didn't come from the server, or it would have had my roles added)... Very strange,
Solved the issue by using PostMan to post to the server and then looked at the returned JWT that was good...
It seems that all JWT signing verification wasn't done by the last person...
Upvotes: 0
Reputation: 46720
This is a better article since it doesn't reference SharePoint.
Also the rules should be "issue" rather than "add".
On the RP side, add the claims rules.
You need a RP trust because this is the application that is going to get the claims rules.
To add a RP trust manually, refer this.
Also, you mention JWT? What protocol are you using? SAML? OpenID Connect?
Upvotes: 1
Related Questions
- Add custom data to ADFS authentication
- How to add custom claims for a Client-Server app in ADFS 2019?
- How Do I Add More Claims to the Identity Token in ADFS Using ADAL Libraries?
- Adding claim details from SQL Server (Not from Active Directory) in SAML 2.0 Response using ADFS 3.0
- Asp.net mvc 5; Where to add custom claims? (adfs login)
- ADFS Claims Rules
- Custom ADFS claim rules
- Claims transformation in ADFS 3.0 by making a call to REST API
- Claims not being passed to a Relying Party in ADFS 2.0
- How do I get other claims of the user using ADFS?