WS-Federation Confusion

coryjiggens · November 11, 2021, 2:42am

Product: PowerShell Universal
Version: 1.4.6

I am not understanding how I set up the claims.

I am authenticating using SSO but I want it to assign to my custom roles and I don’t understand where the policies are updated.

I have 2 roles created
Admins - Admins Security Group
Users = Users Security Group

I just want users to see pages or dashboards and that’s it Admins see everything.
I am just lost on this part

Help on this is appreciated.

adam · November 11, 2021, 7:42pm

You need to setup the policy script to check the claims of the user logging in. Here’s an example of how to do so with Active Directory. It will be similar to WS-Fed: https://docs.powershelluniversal.com/config/security#example-policy-based-on-active-directory-group-membership-windows-authentication

coryjiggens · November 12, 2021, 3:05pm

So I added the following to roles.ps1 and it’s still defaulting to Policy Defined for my non-admin users.
Should it be displaying the roles I created for the user or continue to use Policy Defined?

New-PSURole -Name "Admins" -Policy {
param($User)

$User.HasClaim("http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", 'S-1-5-21-2455101938-2081098319-3243300316-1067472')

$true
} 
New-PSURole -Name "Users" -Policy {
param(
$User
)
$User.HasClaim("http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", 'S-1-5-21-2455101938-2081098319-3243300316-1067593')

$true
}

adam · November 12, 2021, 10:04pm

It will continue to show Policy Defined in the dashboard. The user’s role will be determined upon login. If you assign a role in the identities page, that is static and it won’t run the policy.

coryjiggens · November 16, 2021, 6:36pm

So I tested my policy and I am getting a null returned in my JSON file

$User | ConvertTo-Json | Out-File .\myAdmins.json

When i set authentication on a page it breaks and i get 404 error.

adam · November 17, 2021, 4:17pm

The entire JSON file is empty when you do this?

coryjiggens · November 17, 2021, 4:17pm

No it says null

adam · November 17, 2021, 4:21pm

Ok. I’m going to open an issue to track this because I need to setup WS-Fed to verify that I’m not missing something here.

That variable should never be null in roles.ps1

coryjiggens · November 17, 2021, 4:44pm

I forgot to mention this happened in version 2.5.3 I am going to revert to 2.5.2 and see what happens

coryjiggens · March 10, 2023, 6:31pm

I am still having this issue, I stepped away from the project due to other priorities, but I am not seeing the file created when I use it.

I have my claims set up as well. Is there something I am missing

2023-03-10_10-32-26

$User | ConvertTo-Json | Out-File .\myAdmins.json

coryjiggens · March 14, 2023, 8:29pm

so I tried the following instead of using the form.


param(
[Security.ClaimsPrincipal]$User
)
$User.HasClaim("http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", 'S-1-5-21-2455101938-2081098319-3243300316-1067593')

$true
$User | ConvertTo-Json | Out-File .\myAdmins.json

These are my results.

{
  "Claims": [
    {
      "Type": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
      "Value": "OJR2",
      "ValueType": "http://www.w3.org/2001/XMLSchema#string",
      "Issuer": "http://3dsfederation.3ds.com/adfs/services/trust",
      "Properties": ""
    },
    {
      "Type": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
      "Value": "OJR2",
      "ValueType": "http://www.w3.org/2001/XMLSchema#string",
      "Issuer": "http://3dsfederation.3ds.com/adfs/services/trust",
      "Properties": ""
    },
    {
      "Type": "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod",
      "Value": "urn:federation:authentication:windows",
      "ValueType": "http://www.w3.org/2001/XMLSchema#string",
      "Issuer": "http://3dsfederation.3ds.com/adfs/services/trust",
      "Properties": ""
    },
    {
      "Type": "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant",
      "Value": "2023-03-14T13:17:51.375Z",
      "ValueType": "http://www.w3.org/2001/XMLSchema#dateTime",
      "Issuer": "http://3dsfederation.3ds.com/adfs/services/trust",
      "Properties": ""
    },
    {
      "Type": "http://schemas.microsoft.com/ws/2008/06/identity/claims/role",
      "Value": "Execute",
      "ValueType": "http://www.w3.org/2001/XMLSchema#string",
      "Issuer": "https://www.poshtools.com",
      "Properties": ""
    },
    {
      "Type": "http://schemas.microsoft.com/ws/2008/06/identity/claims/role",
      "Value": "Reader",
      "ValueType": "http://www.w3.org/2001/XMLSchema#string",
      "Issuer": "https://www.poshtools.com",
      "Properties": ""
    },
    {
      "Type": "http://schemas.microsoft.com/ws/2008/06/identity/claims/role",
      "Value": "Operator",
      "ValueType": "http://www.w3.org/2001/XMLSchema#string",
      "Issuer": "https://www.poshtools.com",
      "Properties": ""
    },
    {
      "Type": "RolesAssigned",
      "Value": "true",
      "ValueType": "http://www.w3.org/2001/XMLSchema#string",
      "Issuer": "https://www.poshtools.com",
      "Properties": ""
    }
  ],
  "Identity": {
    "Name": "OJR2"
  }
}

Topic		Replies	Views
WS-Federation authentication with roles PowerShell Universal	10	1003	October 29, 2020
Windows Policy Assignment Not Working PowerShell Universal	2	337	June 12, 2023
Where do I define "Policy assigned" for new identities? PowerShell Universal	4	359	September 13, 2021
Security in IIS PowerShell Universal	2	213	October 6, 2022
Issue setting up roles based on group claims PowerShell Universal	1	47	September 18, 2024

WS-Federation Confusion

Related topics