Hi all,
I'm working on setting up a federated connection between an AD and another LDAP server (Oracle's OUD). I've created (or think I have created) the Local Claims Provider Trust with the following commands:
$ldapPass = ConvertTo-SecureString -String "XXXX" -AsPlainText -Force
$ldapUser = "cn=orcladmin"
$ldapCred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $ldapUser,$ldapPass
$ldapDirectory = New-AdfsLdapServerConnection -HostName X.X.X.X -Port 1389 -AuthenticationMethod Basic -Credential $ldapCred -SslMode None
$GivenName = New-AdfsLdapAttributeToClaimMapping -LdapAttribute givenName -ClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"
$Surname = New-AdfsLdapAttributeToClaimMapping -LdapAttribute sn -ClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
$CommonName = New-AdfsLdapAttributeToClaimMapping -LdapAttribute cn -ClaimType "http://schemas.xmlsoap.org/claims/CommonName"
Add-AdfsLocalClaimsProviderTrust -Name "myldap" -Identifier "urn:testldap" -Type LDAP -LdapServerConnection $ldapDirectory -UserObjectClass inetOrgPerson -UserContainer "ou=myUsers,c=us" -LdapAuthenticationMethod Basic -AnchorClaimLdapAttribute uid -AnchorClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" -LdapAttributeToClaimMapping @($GivenName, $Surname, $CommonName) –Enabled $True -AcceptanceTransformRules "c:[] => issue(claim=c);"
Immediately after running this, I see traffic hitting the LDAP Server:
SEARCH REQ conn=1479 op=6 msgID=97 base="" scope=base filter="(objectClass=*)" attrs="configurationNamingContext,defaultNamingContext,schemaNamingContext,supportedCapabilities,rootDomainNamingContext"
and I see the Trust when I run the following:
PS C:\Users\backupadmin> Get-AdfsLocalClaimsProviderTrust -Name "myldap"
UserObjectClass : inetOrgPerson
UserContainer : ou=myUsers,c=us
AnchorClaimLdapAttribute : uid
LdapAuthenticationMethod : Basic
LdapServerConnection : {X.X.X.X}
LdapAttributeToClaimMapping : {Microsoft.IdentityServer.Management.Resources.LdapAttributeToClaimMapping,
Microsoft.IdentityServer.Management.Resources.LdapAttributeToClaimMapping,
Microsoft.IdentityServer.Management.Resources.LdapAttributeToClaimMapping}
LocalClaimsProviderType : Ldap
AnchorClaimType : http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn
IdentifierType : http://schemas.microsoft.com/ws/2009/12/identityserver/principaltypes/uri
Identities : {http://schemas.microsoft.com/ws/2009/12/identityserver/urn:testldap}
AcceptanceTransformRules : c:[]
=> issue(claim = c);
OrganizationalAccountSuffix : {}
Enabled : True
IsLocal : True
Identifier : urn:testldap
Name : myldap
Notes :
ProtocolProfile : WsFed-SAML
The strange thing is that I cannot see the Trust when viewing the "Claims Provider Trusts" in the AD FS Console. I also can't seem to force the federation to take place yet. I have enabled the /adfs/ls/IdpInitiatedSignOn.aspx page and see my federated
ldap account there, however, I'm not able to input a user name when selecting the "myldap" option and when I do select the ldap option, I see no traffic on the LDAP server.
I'm very new to Windows Server management in general so please forgive me if something in my reasoning is off.
Thanks,
Justin