This project has moved. For the latest updates, please go here.

Resolving federated identities

Nov 13, 2012 at 2:37 PM

Great work on this claims provider for AD users coming from ADFS!

Next is how to deal with federated users when we cannot do any sort of name resolution. For example, our ADFS is federated with othercompany.com, or via the Azure ACS, federated with Google, Yahoo, etc.

In planning to write my own claims provider for this I was thinking something along the lines of:

If input contains '@' and not @ourdomain.com

  assume this is an external email address..
  check for general well-formed email address, but just resolve no matter what

else

  do resolution against our AD...

 

Thoughts?

Coordinator
Nov 14, 2012 at 6:54 AM

hello,
many thanks for your feedback.
Latest version contains a property that allows to always resolve user input for each of the claim type specified in the trust (whatever it exists in the LDAP or not).
Does this address your needs?

 

Nov 16, 2012 at 6:25 PM

I do not believe the 'always resolve' option works for this case. I want to do LDAP (AD) lookup on all input *except* where it looks like an external email address -- @something but not @ourdomain.com.

Our users are in 'ourdomain.com' and federated external users are username@gmail.com, user@othercompany.com, etc, where we have no ability to do lookups.

Something along these lines:

if (searchPattern.ToLower().Contains("@ourdomain.com") || 
	searchPattern.ToLower().Contains(@"ourdomain\") || 
	searchPattern.ToLower().Contains(@"ourdomain.com\") || 
	(!searchPattern.ToLower().Contains('@') && !searchPattern.ToLower().Contains('\\')))
{
	// do LDAP lookup
}
else if (searchPattern.ToLower().Contains("@"))
{
	// assume external user and resolve as identity claim (no validation)
}
else if (searchPattern.ToLower().Contains(@"\"))
{
	// assume external group and resolve as role claim (no validation)
}
Coordinator
Nov 22, 2012 at 11:46 AM

What could be done is to use a configurable prefix (for example "EXT-") to say that the input should be validated without resolving it.

For example, if the user types EXT-user@outlook.com, LDAPCP resolves user@outlook.com for each claim type.

What do you think about that?

Jun 18, 2014 at 6:47 AM
Hi Yvan

Dougans suggestion would be exactly what we need. Do you think it would be possible to program a behaviour like this?

Regards,
Sandro
Coordinator
Jun 18, 2014 at 11:33 AM
Hello Sandro,
the actual implementation is slightly different:
if you configure a prefix (for example "extuser:"), LDAPCP will resolve users like this:
  • user types "value": LDAPCP will make LDAP lookup to find "value"
  • user types "extuser:value": LDAPCP will bypass LDAP lookup (for the claim type where prefix is configured) and create permission "value"
    It's not very different from the implementation suggested by ddugan and very simple to configure: set a prefix or don't.
    Would that fit your needs?
    cheers,
    Yvan