OIDC Roles & Identities

I’m having to admit failure and ask for help on a few things…

I am struggling to get users who are logging in via OIDC to get assigned to roles correctly. The users Role is showing as ‘Policy Defined’ rather than the new Role I’ve created. I can see with Windows Auth you’d need a policy setup to assign the user based on claim info, but I can’t tell if this is necessary with OIDC as you have ‘Claim Type’ and ‘Claim Value’ fields that should do this automatically?

When I am logged in I can click on ‘View Claim Information’ and see all of the necessary info that needs to be retrieved from Azure AD to be able to assign the roles, so I need to ask whether I still need something defined in the policy to achieve this?

I am also confused with which variables are available within ‘Pages’ as I can’t view the output of $Roles or $ClaimsPrincipal to be able to pass information like the logged in user’s UPN or Display Name to scripts I have setup. Are these variables only available in Dashboards?

Product: PowerShell Universal
Version: 2.8.3

Regarding the OIDC role assignment, you need to map the claims value in whatever Role you are trying to create. For example, using Azure AD the groups come through in the “groups” claim, so if I create a role, I would define the Claim Type as ‘groups’ and the value as whatever that relevant value is:

Edit: Editing to add that your claim type may be different, but that’s where you were reference the type/value in the “View Claim Information” to assign the role. Also, be aware if you map the role this way the .ps1 is ignored.

Snag_20bffbfc

Once you do that, if someone is set to ‘Policy Defined’, they will get assigned any roles where the claims mapping is true.

I’m not as well versed on the variables, but there is for sure a built-in “$User” variable within dashboard/pages that contains that person’s username (e.g. in my case it’s UPN as that’s what Azure AD sends as the identifier in the SAML claim).

Thanks for replying, I have the role setup as you have shown in your screenshot and the role next to the users I have asked to login is showing as policy defined, I thought it may show the name of the role instead as it might be easier to know they have picked up the correct role.

My problem is that user’s are signing in and still seeing pretty much everything, endpoints, scripts etc… I have configured the accesscontrols.ps1 to use tags to limit what users can see but this can’t be taking effect properly.

My Role is called Service Desk and the tag access role is setup as:

$Type = 1 -bor 16
New-PSUAccessControl -Role ‘Service Desk’ -Tag ‘ServiceDesk’ -Type $Type

I believe this should be right as I’ve followed the docs here: Access Controls - PowerShell Universal

Regarding the variable I have created a dummy script just with the variables to see if anything outputs but I get nothing in the job log, have tried $User, $Username etc… but get nothing.

In one of my dummy pages when creating a form with a simple textbox I can see that there is a $username variable, the definition is “You can use variables within fields. Variables will be replaced once the page is rendered.” When I submit the form with $username as the value I can see my email address in this variables pop out, but this is not passed to my job output even when I define the param Username.

Have you gone in to change the built-in Reader or Administrator roles to ensure either/both aren’t defaulting to $true for everyone? Also, it’s not perfect, but you won’t see the roles defined on the user’s identity. It’s kind of a hack but you can set your Dashboard to grant an App Token by adding “-GrantAppToken” to your dashboard(s) in the dashboards.ps1 file. Then you can go to the Tokens section of the Admin console to see what roles are assigned to that token. The other option is to output the role information to a text file or something at login to see what the user’s are being granted. I don’t have an example handy for that, though.