How to configure Azure AD and SAML for Guest Accounts

REQUIREMENTS TO BUILD THIS SOLUTION:

  • A working configuration of SAML Tech Preview and regular accounts.
  • Azure Guest accounts
  • Shadow accounts in AD for the Guest accounts
  • FAS for Cloud: https://docs.citrix.com/en-us/tech-zone/design/reference-architectures/federated-authentication-service.html

STEP 1

Open PowerShell on the machine where you will install the Azure AD preview module

Install-module AzureADPreview

Connect-AzureAD

Please keep in mind that as of now the only way to get this functionality working we need to rely on the Public Tech preview for AzureAD.

Extend your Azure Active Directory schema with an additional attribute which is tied to an application. In this case, the application will be the “Cloud SAML Preview” application that the SAML authentication configuration has been applied to.

In this case we will add 2 additional attributes (guestUserOnPremSID, guestShadowUPN)

$app = Get-AzureADApplication | where displayName -eq “Cloud SAML Preview”

New-AzureADApplicationExtensionProperty -ObjectId $app.ObjectId -Name “guestUserOnPremSID” -TargetObjects User

New-AzureADApplicationExtensionProperty -ObjectId $app.ObjectId -Name “guestShadowUPN” -TargetObjects User

STEP 2

Get the proper AD Values to populate the new created extended attributes. To get the SID and the UPN of the on premise shadow account we will use the -Identity which is the FirstName and LastName with no spaces of the user like the following:

Get-ADUser -Identity Shadow1 |select SID | ft -HideTableHeaders

Get-ADUser -Identity Shadow1 |select UserPrincipalName | ft -HideTableHeaders

STEP 3

Now that we have the values, we are going to add them to the extended attributes created on step 1

Get-AzureADApplication | Get-AzureADApplicationExtensionProperty

image.png

Use the Name output as the reference for the created attributes in my example:

extension_f5abb8d162c14493a88d0839ecd9647c_guestShadowUPN

extension_f5abb8d162c14493a88d0839ecd9647c_guestUserOnPremSID

$guestUser = Get-AzureADUser | Where {$_.DisplayName -eq “Guest User Display Name”}

Set-AzureADUserExtension -ObjectId $guestUser.ObjectId -ExtensionName extension_f5abb8d162c14493a88d0839ecd9647c_guestUserOnPremSID -ExtensionValue “SID VALUE”

Set-AzureADUserExtension -ObjectId $guestUser.ObjectId -ExtensionName extension_f5abb8d162c14493a88d0839ecd9647c_guestShadowUPN -ExtensionValue “UPN VALUE”


To confirm the values:

Get-AzureADUserExtension -ObjectId $guestUser.ObjectId

image.png


STEP 4

The only option currently available for using your own custom Azure AD extension attributes is to create a representation of the claims required in JSON format, then use PowerShell to create a “policy” object in Azure AD and associate it with the application the SAML authentication is configured on. This functionality of Azure AD is currently in Public Preview and has some limited documentation on Microsoft Docs: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-claims-mapping

The following JSON/PowerShell configures the claims on the “Cloud SAML Preview” application with Object ID “eb888d56-deee-4832-9741-4fd8dc7150b4” (taken from the Overview page for that application in the Portal).

$claimsDefinition = @(‘

{

“ClaimsMappingPolicy”:

{

“Version”:1,

“IncludeBasicClaimSet”:”false”,

“ClaimsSchema”: [

{

“Source”:”user”,

“ID”:”displayname”,

“name”: “displayName”,

“SamlClaimType”:”displayName”

},

{

“Source”:”user”,

“ID”:”givenname”,

“name”: “givenName”,

“SamlClaimType”:”givenName”

},

{

“Source”:”user”,

“ID”:”userprincipalname”,

“name”: “cip_upn”,

“SamlClaimType”:”cip_upn”,

“AppliesToUserType”: “members”

},

{

“Source”:”user”,

“ExtensionID”:”extension_f5abb8d162c14493a88d0839ecd9647c_guestShadowUPN”,

“name”: “cip_upn”,

“SamlClaimType”: “cip_upn”,

“AppliesToUserType”: “allGuests”

},

{

“Source”:”user”,

“ID”:”objectid”,

“name”: “cip_oid”,

“SamlClaimType”:”cip_oid”

},

{

“Source”:”user”,

“ID”:”userprincipalname”,

“name”: “cip_email”,

“SamlClaimType”:”cip_email”

},

{

“Source”:”user”,

“ID”:”onPremiseSecurityIdentifier”,

“name”: “cip_sid”,

“SamlClaimType”:”cip_sid”,

“AppliesToUserType”: “members”

},

{

“Source”:”user”,

“ExtensionID”:”extension_f5abb8d162c14493a88d0839ecd9647c_guestUserOnPremSID”,

“name”: “cip_sid”,

“SamlClaimType”: “cip_sid”,

“AppliesToUserType”: “allGuests”

}

]

}

}

’)

$policyDef = New-AzureADPolicy -Definition $claimsDefinition -DisplayName “CitrixCustomClaims” -Type “claimsMappingPolicy”

Add-AzureADServicePrincipalPolicy -Id eb888d56-deee-4832-9741-4fd8dc7150b4 -RefObjectId $policyDef.Id

TESTING:

Using Google Chrome and SAML-Tracer plug in we should be able to see the correct values as in the following example:

image.png

Related:

  • No Related Posts

Leave a Reply