AD FS - Send AD Attributes to Shibboleth SP

Question

I have an AD FS claims provider set up and a Shibboleth SP successfully authenticating against it. When I log into the site that's protected by Shibboleth, the index shows all of the headers. I am receiving UPN as expected, but I am not able to get other attributes like surname or sAMAccountName to send.

I currently have 3 claims rules:

Rule 1:

Rule 2:

Rule 3:

From the logs on the Shibboleth SP machine, it doesn't appear that the sn is being sent as an OID attribute.

If I edit the attribute-map.xml and remove the references to the eppn, then I get the following in the shibd log:

2015-06-23 11:29:08 INFO Shibboleth.AttributeExtractor.XML [1]: skipping unmapped SAML 2.0 Attribute with Name: urn:oid:1.3.6.1.4.1.5923.1.1.1.6

There is no mention similar to the above output about the surname or sn in the shibd log, which makes me believe that the "Transform SN' rule is not written correctly.

UPDATED INFO:

I was able to get surname to work by changing rule 1 from manually typing in sn to selecting the dropdown option surname. What do I need to do to get other AD fields with no dropdown to select to work?

I'm adding fields such streetAddress. For Rule 1, I've manually typed in streetaddress for the LDAP attribute and the outgoing claim type.

Then I added an additional rule:

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddress"]
 => issue(Type = "urn:oid:2.5.4.232", Value = c.Value, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/attributename"] = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri");

I don't know if http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddress is correct or not, but the value isn't mapping.
How do I get LDAP attributes that cannot be selected from the dropdown to work?

Edit 2:

I forgot to add the result of selecting View Rule Language (as requested by Matthieu below):

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
 => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname", "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", "streetaddress"), query = ";userPrincipalName,sn,givenName,sAMAccountName,streetaddress;{0}", param = c.Value);

Is seems that it's only getting streetaddress, whereas all of the other values have a schema to them. Since there is no schema, it won't match the Transform rule for streetaddress because the if statement is looking for http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddress. What am I supposed to do for values that are not selected from the dropdown selection?

I figured it out:

I changed the transform rule to the following:

 c:[Type == "streetaddress"]
     => issue(Type = "urn:oid:2.5.4.232", Value = c.Value, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/attributename"] = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri");

Instead of looking for Type == A schema, I just put street address. Then in Shibboleth SP, I changed the Attribute-map.xml to add this:

<Attribute name="urn:oid:2.5.4.232" id="streetaddress"/>

OID above was arbitrary.

Matthieu · Accepted Answer · 2015-06-25T07:42:32.307

2

To check whether your "Transform SN" rule works as expected, install Fiddler. Then install this inspector so it is easier to read SAML messages.

With these tools, you will be able to see what is sent from your ADFS server to your Shibboleth SP. Then you will know on which side the configuration error is.

Edit: on screen #1, at the bottom of the window, what do you see when you click the "View Rule Language" button? Did you manually type "sn" in the "Outgoing Claim Type" box on the right?

Edit 2: what you type in the box is exactly what is used as a claim type. If you type "foo", then your claim type is "foo". If you want "http://foo" instead, then you have to type "http://foo". If you need long claim type, instead of typing everything in the box, create a new claim description (navigate the tree on the left, "AD FS" -> "Service" -> "Claim Descriptions"). This create a new option in the dropdown, simpler to use.

edited Jun 25 '15 at 07:42

answered Jun 24 '15 at 11:20

Matthieu

323
3
7

Yes, I had manually typed `sn` into the box. Once I selected the dropdown of surname, it started to work. I am having trouble adding attributes that are not included in the dropdown - is there a different procedure. I edited the question with more info. – OrangeGrover Jun 24 '15 at 17:24
The 'View Rule Language' helped me figure this out. Thank you. – OrangeGrover Jun 24 '15 at 23:51
Ok good news that it's working! I've edited my answer to add more info about claim descriptions, you may want to use them. – Matthieu Jun 25 '15 at 07:44

AD FS - Send AD Attributes to Shibboleth SP

1 Answers1