ADFS 2.0 AttributeStore that allows you to fetch attribute values from Forefront Identity Manager and issue them as claims.
By the amazing Forefront Identity Management (FIM) and ADFS 2.0 team at Cortego
This Project uses FIM 2010 Resource Management Client
for reading resource data from FIM.
FIM is of course the ultimate place for attributes to issue as claims using ADFS 2.0 since you typically store attributes from all different kinds of connected directories there. Not only will you be able to issue standard attributes - you can do lookups for groups, sets or roles and publish these as claims as well, perfect for authorization scenarios.
Before I first released this back in December I asked Brad Turner (1dent1ty cHa0s
) for help on doing some testing but he wasn't able to get a proper connection to the FIM service using the public WS-client that this project is using for communicating with FIM. Now Brad seems to have a solution to this problem (not confirmed yet) so go ahead check out his blog post if you're having problems connecting the attribute store to FIM. SOAP security negotiation with 'http://fim:5725/ResourceManagementService/Resource'
Getting Started with ADFS 2.0 Attribute Store for FIM
The project contains three VS2010 projects:
The Test Client
- Cortego.ADFS.FIMAttributeStore - This is the actual AttributeStore that does all the work for retreiving and making FIM attributes available to ADFS 2.0.
- Cortego.ADFS.FIMAttributeStore.Tests - This is a neat command-line client that enables you to test connectivity against FIM.
- Cortego.ADFS.FIMAttributeStore.EventSource - A simple command-line util that allows you to add a custom and required event source (Cortego.ADFS.FIMAttributeStore) to Windows event log. This is required for the FIMAttributeStore to be able to log events to the event log.
The Test Client is simply a command-line FIM query tool that uses the Attribute Store under the hood and allows you to get FIM connectivity correct and also to execute your own custom queries against FIM from the command-line.
Before you start using the attribute store with ADFS 2.0 I recommend you to try it out with the...Setting up the ADFS 2.0 Attribute Store for Forefront Identity Manager Test ClientInstallation
Drop these three DLL's into C:\Program Files\Active Directory Federation Services 2.0
- Cortego.ADFS.FIMAttributeStore.dll - The attribute store
- Microsoft.ResourceManagement.Client.dll - The FIM WS client
- Microsoft.ResourceManagement.ObjectModel.dll - The FIM WS object model (required by FIM client)
Create Event Source
- Open the ADFS 2.0 Management Console and expand Trust Relationships/Attribute Stores
- Click to Add Custom Attribute Store
- Choose a display name for your attribute store (keep it short because this name will be used in your claim rules, how about simply FIM?) and add this text as Custom attribute store class name: Cortego.ADFS.FIMAttributeStore.FIMAttributeStore, Cortego.ADFS.FIMAttributeStore, Version=126.96.36.199
- Add the initialization parameters that suits you, Initialization Parameters
In order for the attribute store to be able to log errors and trace information to the event log it requires that an event source is being registered and for this there's a separate project that contains a simple command line utility - EventSource.exe
. The utility can except from registering event sources also create custom logs, unregister event source and delete custom logs.The Event Source UtilityFinishing Touches
Now that everything is configured you'll need to restart the ADFS 2.0 service and that could be done from the services console or by writing these commands:net stop adfssrvnet start adfssrv
If you had TracingEnabled set to True now you'll likely see a couple of information events in the log you specified when you registered the event source and hopefully no error events.Claim Rules
When the attribute store is running, you have tested it using the Test client and it connects successfully to FIM it's time to author Custom Claim Rules in ADFS Management Console.Authoring Claim Rules