Assign PSU roles during the windows authentication (SSO)

Omar · September 26, 2024, 10:41am

Hello,

I’m completely new in Powershell Universal and the tool is really great ! However, i’m facing some difficulties when it comes to authentication.

In fact, my goal is to assign some PSU roles (such as Administrator or User) based on the AD group the user is in.
The difficulty is, i can’t figure out how to assign roles during the Windows SSO authentication without using ADFS (and so claims that comes with it, giving information about the connected, especially the groups he’s in) in the authentication.ps1. I’ve read many times the documentation, mainly this one About | PowerShell Universal and the “Example: Policy based on Active Directory Group Membership”.
The code ensures that the user is in the group i want, but i’m still finding a solution to attribute this user a psu role in the “if” statement.

Also, just for a better understanting of the code, why’s the function returning a boolean instead of Security.AuthenticationResult type as the documentation says that SET-PSUAuthenticationMethod should return this type ? (maybe this code was supposed to be a function and not inside the set-PSUAuthenticationMethod).

The code in question :

param(
$User
)

$UserName = ($User.Identity.Name)
$UserName = $UserName.Substring($UserName.IndexOf('\')+1,($UserName.Length -($UserName.IndexOf('\')+1)))

$IsMember = $false;

# Perform LDAP Group Member Lookup
$Searcher = New-Object DirectoryServices.DirectorySearcher
$Searcher.SearchRoot = 'LDAP://CN=Users,DC=berg,DC=com' # INSERT ROOT LDAP HERE
$Searcher.Filter = "(&(objectCategory=person)(memberOf=CN=PowerShell Universal Admins,OU=Information Technology,DC=berg,DC=com))" #GROUP INSERT DN TO CHECK HERE
$Users = $Searcher.FindAll()
$Users | ForEach-Object{
    If($_.Properties.samaccountname -eq $UserName)
    {
        $IsMember = $true;
        "$UserName is a member of admin group!" | Out-File "C:\test\adgroup.txt"
    }
    else {
        "$UserName is NOT member of admin group!" | Out-File "C:\test\adgroup.txt"
    }
}

return $IsMember

Thank you in advance for your response and let me know if i’m not clear !

Product: PowerShell Universal
Version: 1.4.6

Topic		Replies	Views
IIS Windows Authentication setting roles PowerShell Universal	4	373	April 1, 2021
Assign Roles without natively "Authenticating" in PSU. Is that possible? PowerShell Universal	6	593	November 2, 2023
Authentication and Policy based on Active Directory Group Membership PowerShell Universal	5	1351	August 18, 2021
Automatic authentication and role based access PowerShell Universal	4	463	October 26, 2021
Trying to implement authentication against either Active Directory, or local Windows user accounts PowerShell Universal	7	1183	November 26, 2021

Assign PSU roles during the windows authentication (SSO)

Related Topics