Product: PowerShell Universal
Version: 5.5.2
Hi there,
first off - after binging all the intro videos and first very good impression, I am unfortunately a little disappointed on the available documentation of PSU - just not matching the great product itself 
Some things are outdated, technically not complete or correct (e.g. SSO stuff, as already pointed out by some others) - or just missing, like additional module documentation and parameterizing docus. And now it seems that the videos are also quite outdated compared to latest version.
So, I have some hope that this is maybe the proper place to have these questions.
- Is there any way that Windows authentication uses
UPN instead of sAMAccountName?
Why we want to have it - well, simply using OpenIDC & Windows in parallel. At the moment both works in general, but creates separate identities…
- For that we also wanted to assign multiple claims in parallel. As the UI just ads one, we wanted to edit the admin role with the Policy Editor as shown in the video, but were surprised it is completely empty by default, not showing the stuff as in the video?
- Unfortunately, we activated the module that imports the AD groups without setting
$PSUGroupFilter first and we now have too many groups imported. The post on the release of the module names the $PSUGroupFilter but unfortunately, we couldn’t find any further instruction on how the filter works / what syntax it should have. (The page linked in the Modules docs https://ironmansoftware.com/powershell-universal/modules brings a 404. The modules page found by search also doesn’t explain any further things)
- What is the difference of
PowerShellUniversal.Roles.ActiveDirectory and Universal.Security.ActiveDirectoryRoles?
Don’t get me wrong: PSU seems to be an awfully great product, but the “onboarding” experience is a little disappointing with the available documentation, and also inline “Show Help” button often brings up an empty frame. Would be great if some other experienced user could help here.
Thanks a lot in advance!
If you look in the Security>Roles section, you can create custom Roles and/or modify the existing Roles. Browsers and their setting define SSO. If a Browser is configured to use SSO, it will provide the user’s claims. Within the code section for each role, you define what returns true or false.
For example, you could do this to determine an Administrator:
$UserName = ($User.Identity.Name)
#Get cleaned up samaccount name
$UserName = $UserName.Substring($UserName.IndexOf(‘') + 1, ($UserName.Length - ($UserName.IndexOf(’') + 1)))
function IsUserMemberOfGroup {
param (
[string]$GroupName,
[string]$Username
)
# Query the nearest AD server running web services
$groupMembers = Get-ADGroupMember -Identity $GroupName -Recursive | Select-Object -ExpandProperty SamAccountName
# Check if the current user is a member of the group
$isMember = $groupMembers -contains $username
return $isMember
}
$groupName = "Name of AD Security Group"
#Will return true (assign user as Administrator) if user is a member of the AD group. Will return false (not assign Administrator role) if not a member
IsUserMemberOfGroup -GroupName $groupName -Username $userName
In your case, use the samaccount name to get the SPN and use whatever technique you want to determine if a user is assigned the role or not.
Attempt 2 to post code
Blockquote
param(
[Security.ClaimsPrincipal]$User
)
<#
Policies should return $true or $false to determine whether the user has the particular
claim that require them for that role.
#>
$UserName = ($User.Identity.Name)
#Get cleaned up samaccount name
$UserName = $UserName.Substring($UserName.IndexOf('\') + 1, ($UserName.Length - ($UserName.IndexOf('\') + 1)))
function IsUserMemberOfGroup {
param (
[string]$GroupName,
[string]$Username
)
# Query the nearest AD server running web services
$groupMembers = Get-ADGroupMember -Identity $GroupName -Recursive | Select-Object -ExpandProperty SamAccountName
# Check if the current user is a member of the group
$isMember = $groupMembers -contains $username
return $isMember
}
$groupName = "Name of AD Security Group"
IsUserMemberOfGroup -GroupName $groupName -Username $userName
Hi @twesterd ,
thanks for your reply. Agree on the dual-claim check. We followed a more simplified approach now with
# Check role claim for OpenIDC SSO w/Entra OR On-Prem Windows SSO Groups (non-nested)
if (
($User.HasClaim('http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid', 'S-1-5-21-THESID')) -or ($User.HasClaim('http://schemas.microsoft.com/ws/2008/06/identity/claims/role', 'ENTRAGROUPCLAIM'))
) {
$true
}
However, we couldn’t find out yet how we can configure PSU to use the userPrincipalName instead of sAMAccountName as username within PSU itself.
I would love to see this as well.