locked
Claims Provider missing from AD FS console RRS feed

  • Question

  • Hi all,

    I'm working on setting up a federated connection between an AD and another LDAP server (Oracle's OUD). I've created (or think I have created) the Local Claims Provider Trust with the following commands:

    $ldapPass = ConvertTo-SecureString -String "XXXX" -AsPlainText -Force
    $ldapUser = "cn=orcladmin"
    $ldapCred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $ldapUser,$ldapPass
    $ldapDirectory = New-AdfsLdapServerConnection -HostName X.X.X.X -Port 1389  -AuthenticationMethod Basic -Credential $ldapCred -SslMode None
    
    $GivenName = New-AdfsLdapAttributeToClaimMapping -LdapAttribute givenName -ClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"
    $Surname = New-AdfsLdapAttributeToClaimMapping -LdapAttribute sn -ClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
    $CommonName = New-AdfsLdapAttributeToClaimMapping -LdapAttribute cn -ClaimType "http://schemas.xmlsoap.org/claims/CommonName"
    
    Add-AdfsLocalClaimsProviderTrust -Name "myldap" -Identifier "urn:testldap" -Type LDAP -LdapServerConnection $ldapDirectory -UserObjectClass inetOrgPerson -UserContainer "ou=myUsers,c=us" -LdapAuthenticationMethod Basic -AnchorClaimLdapAttribute uid -AnchorClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" -LdapAttributeToClaimMapping @($GivenName, $Surname, $CommonName) –Enabled $True -AcceptanceTransformRules "c:[] => issue(claim=c);"


    Immediately after running this, I see traffic hitting the LDAP Server:

     SEARCH REQ conn=1479 op=6 msgID=97 base="" scope=base filter="(objectClass=*)" attrs="configurationNamingContext,defaultNamingContext,schemaNamingContext,supportedCapabilities,rootDomainNamingContext"

    and I see the Trust when I run the following:

    PS C:\Users\backupadmin> Get-AdfsLocalClaimsProviderTrust -Name "myldap"
    
    
    UserObjectClass             : inetOrgPerson
    UserContainer               : ou=myUsers,c=us
    AnchorClaimLdapAttribute    : uid
    LdapAuthenticationMethod    : Basic
    LdapServerConnection        : {X.X.X.X}
    LdapAttributeToClaimMapping : {Microsoft.IdentityServer.Management.Resources.LdapAttributeToClaimMapping,
                                  Microsoft.IdentityServer.Management.Resources.LdapAttributeToClaimMapping,
                                  Microsoft.IdentityServer.Management.Resources.LdapAttributeToClaimMapping}
    LocalClaimsProviderType     : Ldap
    AnchorClaimType             : http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn
    IdentifierType              : http://schemas.microsoft.com/ws/2009/12/identityserver/principaltypes/uri
    Identities                  : {http://schemas.microsoft.com/ws/2009/12/identityserver/urn:testldap}
    AcceptanceTransformRules    : c:[]
                                   => issue(claim = c);
    
    
    OrganizationalAccountSuffix : {}
    Enabled                     : True
    IsLocal                     : True
    Identifier                  : urn:testldap
    Name                        : myldap
    Notes                       :
    ProtocolProfile             : WsFed-SAML

    The strange thing is that I cannot see the Trust when viewing the "Claims Provider Trusts" in the AD FS Console. I also can't seem to force the federation to take place yet. I have enabled the /adfs/ls/IdpInitiatedSignOn.aspx page and see my federated ldap account there, however, I'm not able to input a user name when selecting the "myldap" option and when I do select the ldap option, I see no traffic on the LDAP server.

    I'm very new to Windows Server management in general so please forgive me if something in my reasoning is off.

    Thanks,

    Justin


    • Edited by j.offett Friday, November 30, 2018 6:58 PM
    Friday, November 30, 2018 6:57 PM