locked
What is the difference between Add-AdfsLocalClaimsProviderTrust cmdlet and Add Claims Provider Trust action from AD FS Management? RRS feed

  • Question

  • I've been recently introduced to AD FS and trying to add OUD (Oracle directory) to AD FS server. I am not sure technical term I used even correct. Still trying to understand all the features/components involved in a particular scenario I ran into.

    Scenario)

    1. user comes into access AWS windows 10 client.

    2. AD Connector is backed behind this client server to authenticate the user.

    3. User entry is found in the AD Connector but actual authentication is handled by AD FS as a service (?) or OUD. His/her attributes are all stored in the OUD instead of AD Connector. I think AD Connector in AWS realm, acting as AD.

    4. Somehow AD FS working with OUD and AD Connector all together be able to authenticate incoming user.

    To meet this requirement, I followed this thread: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-to-authenticate-users-stored-in-ldap-directories

    So I was able to execute successfully cmdlet:  Add-AdfsLocalClaimsProviderTrust

    However when I accessed AD FS Management, I was not sure how to verify whether this OUD is visible or not. That is my first question.

    Related to the first question is under AD FS tree > Claims Provider Trusts, I didn't see anything related to OUD. Is this right behavior?

    Third question is, I see Add Claims Provider Trust under Actions which started Wizard. I am not sure what this is for. Is this same as Add-AdfsLocalClaimsProviderTrust? Or this Add Claims Provider Trust is another step required to incorporate OUD into AD FS server.....




    • Edited by vitovnica Friday, December 7, 2018 11:21 PM
    Wednesday, December 5, 2018 4:34 PM

All replies

  • To check whether your LDAP is visible or not : Under the Service node in the ADFS console, click Attribute store.

    Difference between "Claims Provider Trust" and "LocalClaimsProviderTrust" :

    Claims provider trust : In the AD FS Management snap-in, claims provider trusts are trust objects typically created in resource partner organizations to represent the organization in the trust relationship whose accounts will be accessing resources in the resource partner organization. A claims provider trust object consists of a variety of identifiers, names, and rules that identify this partner to the local Federation Service.

    Local Claims Provider Trust : A trust object that represents AD LDS or third-party LDAP-based directories in an AD FS farm. A local claims provider trust object consists of a variety of identifiers, names, and rules that identify this LDAP-based directory to the local Federation Service.

    https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/technical-reference/understanding-key-ad-fs-concepts

    To Configure AD FS to enable authentication of users stored in LDAP directories, try this procedure:

    - Open the AD FS console

    - Under the Service node, Right-click Attribute Stores, and then click Add Attribute Store.

    - Type a name, and then in the Attribute store type list, click LDAP.

    - In the Connection String box, type the connection string, and then click OK. The string looks something like this: ldap://localhost:port/cn=LdapUsers,...

    After creating the attribute store, you can create a new claims provider trust.

    _____________________________________________________

    Please don't forget to mark the correct answer, to help others who have the same issue.

    Tahar AROUA: MCSE Cloud Platform and Infrastructure



    • Edited by Tahar AROUA Friday, December 7, 2018 9:18 PM
    Friday, December 7, 2018 9:12 PM
  • Plz forgive my late reply. I was digressed for a while due to the nature of my work.

    I appreciate your reply back. I was able to add new Attribute Store (connection to Oracle OUD directory) under Attribute Stores from AD FS console.

    According to your instruction, next step I should take would be creating new claims provider trust.

    I started the wizard, process to create one but I am stuck at what to provide at Select Data Source phase, it is asking for either import data about the claims provider published online or on a local network - asking for federation metadata address (hostname or url) or import data about the claims provider from a file or enter claims provider trust data manually.

    I must have misunderstood between claims provider trust and local claims provider trust then. I thought OUD directory would represent local claims provider trust and AD running from windows server in where AD FS services is running would represent claims provider trust.

    Am I adding OUD directory as source for Data in the Add Claims Provider Trust wizard? If so what information such as federation metadata I should provide?

    Here is example of OUD directory system configuration.

    1. Oracle OUD directory is installed/running from Linux server.
    2. Connection string: ldap://myOUD.foocomanay.com:1389
    3. username: cn=Directory Manager or cn=orcladmin
    4. password=<password>


    • Proposed as answer by Tahar AROUA Tuesday, December 11, 2018 10:18 AM
    • Unproposed as answer by Tahar AROUA Tuesday, December 11, 2018 10:18 AM
    Monday, December 10, 2018 6:27 PM
  • Your OUD directory has to declared as attribute store.

    To establish the Federation trust you have to configure the Claims Provider Trust and the Relying Party trust.

    For this you need to configure manually o to import the Federation metadata which will be used for communicating configuration information between a claims provider and a relying party to facilitate proper configuration of claims provider trusts and relying party trusts. 

    i invit you to read this document to understand how to use Federation Metadata to establish a Relying Party trust :

    https://blogs.msdn.microsoft.com/card/2010/06/24/using-federation-metadata-to-establish-a-relying-party-trust-in-ad-fs-2-0/

    _____________________________________________________

    Please don't forget to mark the correct answer, to help others who have the same issue.

    Tahar AROUA: MCSE Cloud Platform and Infrastructure

    Tuesday, December 11, 2018 10:26 AM