WS-Federation authentication with roles

I am trying to set up WS-Fed authentication against our Universal environment, where certain pages should be visible depending on the roles, and i can’t wrap my head around how to get it to work.

appsettings.json has the configuration:

"WSFed": {
  "Enabled": "true",
  "MetadataAddress": "https://sts.companyname.com/FederationMetadata/2007-06/FederationMetadata.xml",
  "Wtrealm": "myrealm",
  "CallbackPath": "/auth/signin-wsfed"
},

The authentications seems to work, when testing i am redirected to the sts page and then back to Universal.

I am also sending the claim “Role” which set a value based on membership of an AD group:

image803×397 16.5 KB

What I am having issues with is how get this claim, and define which pages should have access to them.

I have changed the roles.ps1 with the following, but how can I see if this role is actually set on the user?

New-PSURole -Name "Reader" -Description "Readers have read-only access to UA. They cannot make changes to any entity within the system." -Policy { 
param(
$User
)
      if($User.Claims | Where-Object { $_.Type -eq 'Role' -and $_.Value -eq 'Reader' ){
          $true
      }
	  else{
	    $false
	  }       
#
# Policies should return $true or $false to determine whether the user has the particular 
# claim that require them for that role.
#
 }

When it comes to pages, is it enough to just set “-Role” with “New-UDPage”? And, can this have multiple values, i.e. @(“Reader”,“Writer”)?
Also, how can I check the role of a user inside the page, for displaying different objects depending on the role?

Sorry for the long post, but I have been stuck on this for some time and I am not getting anywhere with this.
Any help/information is greatly appreciated!

Currently, the easiest way to find the roles that are in the New-PSURole policy is to output that value as JSON.

$User | ConvertTo-Json | Out-File "$Env:temp\roles.json" 

When it comes to pages, is it enough to just set “-Role” with “New-UDPage”? And, can this have multiple values, i.e. @(“Reader”,“Writer”)?

It doesn’t support multiple roles at this time. I’ve added it to our backlog for you though. As a work around, you could have a role that is a combination of the two roles (checks for both roles in the policy).

Also, how can I check the role of a user inside the page, for displaying different objects depending on the role?

You can use the $Roles variable. I added some info here: https://docs.ironmansoftware.com/dashboard/role-based-access#usdroles-variable

Thanks! That helps a lot!
I tested with adding the below to the first page that is loaded and all that file contained was my username

$User | ConvertTo-Json | Out-File "$Env:temp\roles.json" 

Might I be doing something wrong in the roles.ps1? Is there some way to see the claims $User has? Or should I be using $ClaimsPrincipal?

Oh, sorry that wasn’t clear. Add that to the roles.ps1 file within the -Policy endpoint or within the settings for the role within the UI. Not to the dashboard.

That was what I first thought, but no file was generated at all when adding it

New-PSURole -Name “Reader” -Description “Readers have read-only access to UA. They cannot make changes to any entity within the system.” -Policy {
param(
$User
)
$User | ConvertTo-Json | Out-File “$Env:temp\roles.json”

I have found the issue, it was a missing “}” and everything is now working.
Thanks for all your help @adam!

I have the same issue, the $user variable just my username, nothing else.
What did you do to solve this issue?

(I also have a working SSO setup with ADFS & WS-Federation)

image1790×202 10.2 KB

image818×883 124 KB

Make sure you have the correct configuration in appsettings.json and you have authentication turned on for the dashboard:

Then try what Adam wrote:

$User | ConvertTo-Json | Out-File "$Env:temp\roles.json" 

Inside one of the roles in roles.ps1

For me, i was missing a “}” in:

 if($User.Claims | Where-Object { $_.Type -eq 'Role' -and $_.Value -eq 'Reader' ){

OK thanks a lot for the info, I have this also working.

Can I just ask, inside a dashboard runspace (any runspace inside the process ID of a dashboard) , could
you have a look at your $User variable and check if it is just a string with your username, or the complete $user variable you see in the json export from the roles.ps1?

When I do the

$User | ConvertTo-Json | Out-File "$Env:temp\roles.json" 

in the roles.ps1 I get a file with all the claims in them, not just the username.

Thanks, I was also looking for this info, so for anybody wondering the same: