Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Identifierclaim in SPTrustedIdentityTokenIssuer #1328

Closed
bartvermeersch opened this issue Jun 23, 2021 · 5 comments · Fixed by #1343
Closed

Identifierclaim in SPTrustedIdentityTokenIssuer #1328

bartvermeersch opened this issue Jun 23, 2021 · 5 comments · Fixed by #1343
Labels
bug The issue is a bug. in progress The issue is being actively worked on by someone.

Comments

@bartvermeersch
Copy link
Contributor

I'm trying to configure an SPTrustedIdentityTokenIssuer but I always get the error:

IdentifierClaim does not match any claim type specified in ClaimsMappings.

What am I missing?

       SPTrustedIdentityTokenIssuer AzureAD
        {
            Name                = "AzureAD";
            Description         = "Azure AD Identity provider";
            Realm               = "urn:sharepoint:sp1";
            SignInUrl           = "https://login.microsoftonline.com/[GUID removed]/wsfed";
            IdentifierClaim     = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name";
            ClaimsMappings        = @(
                MSFT_SPClaimTypeMapping{
                    Name = "name";
                    IncomingClaimType = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name";
                    LocalClaimType ="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn";
                }
                MSFT_SPClaimTypeMapping{
                    Name = "Email";
                    IncomingClaimType = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress";
                }
                MSFT_SPClaimTypeMapping{
                    Name = "Role";
                    IncomingClaimType = "http://schemas.microsoft.com/ws/2008/06/identity/claims/role";
                }
            )
            SigningCertificateFilePath = "C:\cert.cer";
            Ensure                = "Present";
            PsDscRunAsCredential  = $SPSetupAccount;
        }
@bartvermeersch
Copy link
Contributor Author

bartvermeersch commented Jun 25, 2021

Manually installing using this powershell did work and made it DSC compliant:

$realm = "urn:sharepoint:sp1"
$wsfedurl="https://login.microsoftonline.com/[GUID removed]/wsfed"
$filepath="C:\cert.cer"

$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($filepath)

New-SPTrustedRootAuthority -Name "AzureAD" -Certificate $cert

$map =@()
$map += New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" -IncomingClaimTypeDisplayName "UPN" -LocalClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"
$map += New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "Email" -LocalClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" 
$map += New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" -IncomingClaimTypeDisplayName "Role" -LocalClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/role"

$ap = New-SPTrustedIdentityTokenIssuer -Name "AzureAD" -Description "Azure AD Identity provider" -realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map -SignInUrl $wsfedurl -IdentifierClaim "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"

@ykuijs
Copy link
Member

ykuijs commented Jun 25, 2021

Hi @bartvermeersch,

Since you manual actions corrected this, this must be in the Set method. To check where exactly this goes wrong, do you have more of the Verbose output for me?

@ykuijs ykuijs added bug The issue is a bug. needs investigation The issue needs to be investigated by the maintainers or/and the community. waiting for author response The pull request is waiting for the author to respond to comments in the pull request. labels Jun 25, 2021
@ykuijs
Copy link
Member

ykuijs commented Aug 31, 2021

@bartvermeersch Could you provide the Verbose output, so I can check the code where this goes wrong?

@ykuijs
Copy link
Member

ykuijs commented Aug 31, 2021

UPDATE: Correction to my first conclusion. Have checked the innerworking a little more and the error is in the code.

Found the root cause for this issue:

In the Set method, this code creates an array with Claims Mappings:

$params.ClaimsMappings | ForEach-Object -Process {
$runParams = @{ }
$runParams.Add("IncomingClaimTypeDisplayName", $_.Name)
$runParams.Add("IncomingClaimType", $_.IncomingClaimType)
if ($null -eq $_.LocalClaimType)
{
$runParams.Add("LocalClaimType", $_.IncomingClaimType)
}
else
{
$runParams.Add("LocalClaimType", $_.LocalClaimType)
}
$newMapping = New-SPClaimTypeMapping @runParams
$claimsMappingsArray += $newMapping
}

The next block of code then checks if the specified IdentifierClaim matches a MappedClaimType in any of the claims in the array:

$params.ClaimsMappings | ForEach-Object -Process {
$runParams = @{ }
$runParams.Add("IncomingClaimTypeDisplayName", $_.Name)
$runParams.Add("IncomingClaimType", $_.IncomingClaimType)
if ($null -eq $_.LocalClaimType)
{
$runParams.Add("LocalClaimType", $_.IncomingClaimType)
}
else
{
$runParams.Add("LocalClaimType", $_.LocalClaimType)
}
$newMapping = New-SPClaimTypeMapping @runParams
$claimsMappingsArray += $newMapping
}

This is where the code fails. It should check against the InputClaimType property instead of the MappedClaimType property. Will update the code and submit a PR!

@ykuijs ykuijs added by design The issue is describing an expect behavior. bug The issue is a bug. in progress The issue is being actively worked on by someone. and removed bug The issue is a bug. needs investigation The issue needs to be investigated by the maintainers or/and the community. waiting for author response The pull request is waiting for the author to respond to comments in the pull request. by design The issue is describing an expect behavior. labels Aug 31, 2021
@bartvermeersch
Copy link
Contributor Author

Sorry I didin't follow up, I had to switch project. Thank you @ykuijs for the fix! (I also missed the issue in the code)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug The issue is a bug. in progress The issue is being actively worked on by someone.
Projects
None yet
2 participants