I’m setting up the authentication and authorization aspects of our PowerShell Universal environment (admin page, dashboards, etc.) and I’m taking advantage of claims.
I’m struggling to figure out a straightforward way to determine the URI for a given claim type. For example, the PSU documentation shows an example of using a group SID for claims, but if I want to use group name instead I have to find the appropriate URI. How can I do that?
Product: PowerShell Universal
Version: 2.12.5
This depends on your authentication type. The reason we show how to use group SIDs is because that’s what the available claims are for Windows Authentication. The authentication provider doesn’t receive or resolve the SIDs to names so they aren’t available in the claim mapping.
You can view all your available claims (including URLs) by clicking View Claim Information on the Roles page. https://docs.powershelluniversal.com/v/master-1/config/security#view-claim-information
For some authentication providers, they don’t use URIs at all but rather just strings (e.g. groups) for the claim type.
Hey @adam,
When I click “View Information” I only see the claims associated with the account I’m currently logged in with. That helps me see the claims applied to the user I’m currently logged in with, but searching the Internet for a list of claims for a given provider has not been very effective; at least for me.
For “group name” I found the following on the Microsoft site included below (look under the “What are claim types?” section). It works with what I’m doing even though it’s for ADFS and I’m not utilizing federation at all. Perhaps there’s claim overlap between ADFS and regular AD (this is an area where my knowledge is a rather shaky). My form auth script confirms that the username entered to log into the admin page is in the appropriate AD group.
Claim URI: http://schemas.xmlsoap.org/claims/Group
Claim Name: Group
Source Site: The Role of Claims | Microsoft Learn