Recently had to setup ADFS federation for access to AWS.
I found an excellent article about setting this up, however I did experience some issues and I will detail them here, there is nothing wrong with the article it was just out environment.
What happened is that in our domain we setup some groups as domain local security groups. As it turns out the method in this article that returns the groups for the user (rule: Get AD Groups), uses a LDAP attribute called tokengroups. What is not apparent is that this will not return groups that are distribution groups or domain local groups….
There is no obvious error that indicates this, and it was only why faulting finding that I stumbled across this article, and it has a side note that states this fact.!! Its actually in the real world example.
https://blogs.technet.microsoft.com/askds/2013/05/07/ad-fs-2-0-claims-rule-language-part-2/
So the quickest and easiest solution for us was to change the group to universal. However the second article above does detail that memberOf can be used in tokengroup place, however the result is the full distinguished name and needs to be manipulated before it can be used.
If I get time I will try and see if I can use this method. I will post here if I can.
Update: OK, looking at this further the memberOf feature only includes groups in which the user is a direct member… so nested groups become a problem.
further reference
https://www.morgantechspace.com/2015/08/active-directory-tokengroups-vs-memberof.html
No comments:
Post a Comment