Announcing the Twobo LDAP Attribute Store for ADFS

|

ADFS ships with an LDAP attribute store that queries directories for data that the federation server should assert as claims. As it says in the documentation, Microsoft's attribute store only works with LDAP servers that support Integrated Windows Authentication (IWA). If the LDAP directory does not support this method of authentication, the data in it cannot be accessed with the stock attribute store. Due to this limitation, organizations needing to provide data to their federation partners which is housed in incompatible directories have been faced with undesirable choices. It is for this reason, that we have created the Twobo LDAP Attribute Store for ADFS. As we'll explain in this and subsequent blog posts, our new attribute store includes more functionality than Microsoft's without the limitations.

Summary of Features

The Twobo LDAP Attribute Store for ADFS includes a number of features. For example, it provides support for:

  • Simple and anonymous bind
  • LDAP and LDAPS
  • Single- and multi-valued attributes
  • Decoding of binary attribute values based on a configurable encoding
  • Rule-specific search scope (e.g., OneLevel or Subtree) with configurable default
  • Per-rule search base and configurable default

The attribute store can be xcopied into the ADFS install directory or deployed into the GAC. It works with ADFS 2.0 and 2.1, and includes a complete administrative manual to help you get up and running quickly. After the attribute store is installed, it is configured the same way as any third-party attribute store, specifically with the ADFS Management Console or the ADFS PowerShell cmdlets. Using it is done by writing claims rules.

Prototypical Rules

The rules that you write use ADFS' custom rule template and probably look like many you've seen. The attribute store used in these rules needs to be an instance of the Twobo LDAP Attribute Store for ADFS. A simple rule that overrides the default search base and scope looks like this:

c:[Type == "http://schemas.xmlsoap.org/.../upn"] =>
    issue(Store = "2BOLDAP",
        Types = ("http://schemas.xmlsoap.org/.../emailaddress",
            "http://schemas.xmlsoap.org/.../privatepersonalidentifier"),
        Query = "uid={0}\mail,uid\ou=People,dc=example,dc=com\Subtree",
        Param = c.Value);

If the configured default search base and location where to be used instead, the above query would simply be uid={0}\mail,uid. We'll delve into the syntax some more in a future post and provide additional examples. For now, however, take note of a few things:

  • The basic form of the rule is identical to the stock LDAP attribute store except that the format of the query is different.
  • The query allows for an LDAP filter, a list of attributes to return, an optional base, and an optional search location.
  • The parts of the query are separated by a forward slash rather than a semicolon, as is the case of the stock LDAP attribute store. This is because many organizations use a semicolon in their object names, despite the recommendations against it.

Tested LDAP Directories

We have tested our attribute store with a growing number of LDAP servers, including:

  • Siemens DirX Directory Server
  • OpenLDAP
  • AD LDS
  • ApacheDS

If you're working in the Swedish health care IT field, you may recognize the first directory server in that list as the one that runs the Swedish national health care directory, HSA. We are very pleased to say that our new attribute store works with that critical piece of our national infrastructure. We have tested most of those servers with anonymous and simple bind over SSL and in the clear.

Confidently Access Non-IWA-compliant Directories

We have released multiple updates to this module over the last year, and have helped our customers deploy and use it in production during that time. We are very confident in its stability and feature set. It is for this reason that we are now making it generally available and providing commercial support for it. With our help and support, organizations can confidently use our new attribute store to retrieve the data they need from directory servers that do not support IWA. If you have any questions or would like to learn more about the Twobo Attribute Store for ADFS, please contact us.

Comments