canariecaf / adfstoolkit Goto Github PK
View Code? Open in Web Editor NEWThis project forked from fedtools/adfstoolkit
Powershell scripts used to handle SAML2 multi-lateral federation aggregates
License: Apache License 2.0
This project forked from fedtools/adfstoolkit
Powershell scripts used to handle SAML2 multi-lateral federation aggregates
License: Apache License 2.0
This is for convenience. Current implementation uses SHA256 fingerprint only WITHOUT colons.
For user usability, it should accept a fingerprint as ouput from openssl
The following line of code in Add-ADFSTk-SPRelyingPartyTrust.sp1 should have better error handling (row 95):
$EntityCategories += $sp.Extensions.EntityAttributes.Attribute | ? Name -eq "http://macedir.org/entity-category" | select -ExpandProperty AttributeValue | % { ...
Í got the following error from Gothernburg University:
select : Property "AttributeValue" cannot be found.
At C:\Program Files\WindowsPowerShell\Modules\ADFSToolkit\0.9.1.40\Private\Add-ADFSTkSPRelyingPartyTrust.ps1:95 char:12
0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scheduled task should not point to specific configuration version.
Move sync-adfstkaggregates to module folder
For some RP:s it would be good to block logins directly in ADFS.
We should discuss if it's a good idea to add configuration for this.
The parts that populate Attributes and Entity Categories are called when every SP is loading.
Instead of loading those values from disc, make use of global variables.
That will make the Tolkit faster and more reliable.
When Powershell code is signed, any of the powershell code to be included requires a code signing block. This means that anything to override and SP setting will break the signature in the current model.
To support an execution policy of remoteSigned externalizing the SP overrides into user controlled space/origin is required.
A known style used by Apache, NGinx, and freeRADIUS will be used. The style is a directory of sites-available (things you can use), and sites-enabled (things actively configured).
Adopting this model allows for flexibility of selecting known configuration for Service Providers/Relying Parties and ingesting all records in sites-enabled will permit easier, more fine grained updates and NOT require a Module reload.
A parent directory set to the version of the Module will be used to do better mitigating Module updates triggering errors in running code.
Functional features required:
The act of enabling a service is placing to place a file in sites-available and issue:
publish-ADFSTkSPSettings -name -config /path/config.xml [-refresh] which will:
attempt to load the given config and named powershell anchored in sites-available
copy the file into c:\adfstoolkit<module-version>\sites-enabled
if -refresh is provided it will trigger the issuance of the command import-ADFSTkMetadata for the invocation of the import of that record.
a log record will be written to the ADFSTk EventLog
unpublish-ADFSTkSPSettings -name <filename -config /path/config.xml -refresh will:
attempt to load the given config and named powershell anchored in sites-available
ask the user 'are you sure' and default to No of file moving from sites-enabled to sites-disabled
move the file
if -refresh is provided it will trigger the issuance of the command import-ADFSTkMetadata for the invocation of the import of that record.
a log record will be written to the ADFSTk EventLog
In the above commands, the notion of which aggregate the entity originates from is important and pivots on the notion of the configuration file to source the aggregate fingerprint. It is plausible that an entityid MAY exist in both but one or the other is tweaked and may need to be reviewed during implementation.
Add Logout endpoint(s) to the SP.
ADFS logout URL = https://[IdP]/adfs/ls/?wa=wsignout1.0
Get the post/redirect URL from metadata
Sometimes the configuration for this toolkit is complex and could be well served for a native interface to gather reference settings for the tool.
These settings could be XML fetched from the web or built into a web GUI that in turn builds the necessary XML
Highly useful items:
The configuration should be verified on startup.
Different configurations for different versions.
As we use eventlog for our activity, it may be helpful to have some specific cmdlets to assist viewing the log and possibly used to bundle output into a support request.
https://blogs.technet.microsoft.com/heyscriptingguy/2015/10/21/event-log-queries-using-powershell/
We shouldn't have any hard-coded texts in the scripts.
All texts should be fetched from language files.
ADFSTk uses the same SHA1/SHA256 from the signing certificate in the ADFS RP.
This isn't allways right (but it's the ony data we have to work with).
It should be possible to force SHA1/SHA256 from the local configuration.
$AllSPs | % {
~~~
Needs to do a null check on the set for processing before handling the request for removing entities
If ADFSTk should be able to use federation specific configuration we need to let the IdP admin choose federation and save that in the institution config file.
Some sites may desire multiple aggregates to be loaded.
Expectations around these aggregates are:
Other conditions:
The nested module import is not importing the module in the expected fashion and as a module, should not require it's import.
Review the technique and resolve preferably with the module base or by dropping the import technique entirely and rely on the execution environment which may sacrifice the operation of the tool as a delivered zip (or review how to discretely allow for both approaches preferably.)
Hard to reproduce but when there is a log to disk option selected, these errors may appear:
Add-Content : The process cannot access the file '\globemaster\HomeFolders\cphillips\Documents\gitcontrolled\adfstoolkit\status2.log'
because it is being used by another process.
At \globemaster\HomeFolders\cphillips\Documents\gitcontrolled\adfstoolkit\ADFSToolkit\Private\Write-Log.ps1:267 char:17
Add-Content -Path $LogFilePath -Value $FileMessage
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This is the powershell not able to log when eventlog can be used. Likely benign but recorded here for tracking the known issue
If a new version of ADFSTookit introduces changes to the institution configuration the version of the default configurations should increase and we need a cmdlet to upgrade the current institution configuration.
Assemble scripts/code in such a fashion that the code is efficiently, reliably, authentically, and securely published to PowerShellGallery.com
Let ADFS Toolkit have the possibility to include Federation specific Entity Categories.
If a federation specifies the same Entity Category that are already present in ADFS Toolkit, the federation Entity Category should take over.
Add eduPersonUniqueID ti the default config file...
The discrete filters for a given entity need to:
[ ] migrate out of the Private folder into the config folder since it's a user managed assignment
[ ] be renamed to a more semantic meaning name to clearly identify it
We should ensure that we create the eventlog type or adhere to the common one that exists. Once there, we should:
[ ] ensure our logging is being written to it
[ ] appropriate log levels are applied (TRACE, DEBUG, INFO, WARN, ERROR, FATAL)
Cleanup of the creation/release of Transient Name Id
When an aggregate is retrieved and uses SHA256 to sign things, WindowsServer 2012r2 does not have the necessary signature verification suite.
If it is detected as not available, it is possible with Administrator level access to ADD SHA256 signature validation to the host's accepted cryptographic signatures.
The resolution path should:
The error when the aggregate cannot be retrieved are really that the file cannot be written to disk and usually as a result of the directory not existing in the working path of the configuration.
This should be improved either with a more valid error or to ensure that the file location exists and if not, throw an error that way.
Added id´s to logging events, easier to search logs
Change handling of directories for different versions of ADFSTk.
Move institution config to a specific folder, not in a ADFSTk version folder.
Support for releasing PersistentId
It should be possible to address transform rule(s) to all SP:s
It should be possible to address transform rule(s) to all SP:s within a domain (ends with *.edu.org or *.sub.edu.org)
Identify the necessary language specific elements and adopt the recommendation i18n model for the strings where possible.
A requirement for #4
This enhancement is for sites without an AD schema containing eduPersonAffiliation.
For those we desire the attribute to be handled as follows and configurable in the config file
it is worth noting that user may be present in multiple groups so we should strive for the calculation to encapsulate building a multivalued array for said members.
SWAMID needs to add a couple attributes to CoCo.
In the future we should move this kind of changed to Federation specific entity categories.
This change will not affect other federations.
When a new configuration is created a new powershell job should be written so that the way to schedule 'the job' is to take said ADFSTkjob.ps1 and schedule that and all the switches and necessary activities will live inside the job itself.
Discovered that on the specific import of an entity there is a cut and past error where EntityBase is used that should instead be entityID.
This prevents individual entities from being added properly.
Attribution to University of Umea with many thanks for the report of the problem.
If you have attribute releases with the same source attribute and the attribute releases are limited within a federation. The limit are not allways enforced.
mappings on eduPersonAffiliation are applied per Relying Party. This means the mappings are configured 1000's of times for large aggregates. There may be a more clever way to perform the mapping.
During the creation of the configuration file, users are asked for the ADFS external DNS name. There is no prevention to detect an IP address as opposed to an FQDN. FQDN's should be used and IP addresses should be prevented.
This is actually the default behaviour of ADFS but not the actual tool.
This is similar to the previous question:
No references are made to this function anymore and if it's necessary, it should be migrated to the new naming convention.
If it is not, we should remove it. It may have a key function but no longer needed?
update logging technique to:
[ ] not require logfilepath as a required attribute
[ ] to exclusively use eventlog
[ ] to retain the ability to configure which log via the config directives
[ ] to make code adjustments on validation on import launch and related help text for the command to function as expected
ADFS has a property Secure hash algorithm found under the Advanced tab in the GUI. It's not populated correct at this moment.
For most of the RP:s that's fine (the default value is correct) but a few need to change and then you have to override the script (change the name to exclude the prefix).
I'm not sure if this value exists in the metadata or if we can use the signature algorithm from the signing certificate. This needs a bit of investigation.
It does not appear to be referenced anymore and is actually 'Get-LiUAnswer' in the file which is also not referenced. If we are not using it should be dropped
If we are, it should migrate to the new naming convention and elaborated on where to use it since it is not referenced anymore.
Powershell from powershell galery bakes in a version # into the path for the module. This should either be baked into the working path as a default for convenience for out of the box running.
Going forward, the notion of the working path being created MAY be asked for during the creation of the configuration file in order to create the directory and necessary supporting locations where files live (/cache etc).
[ ] template should contain version of toolkit from powershell module
[ ] user created configuration file should use the MetadataPrefix
[ ] attempt to detect existing config file before overwriting would be helpful to prevent users hurting themselves.
attributeResolver eduPersonUniqueID is mapped to norEduPersonLIN
Recommend to be abstracted to XML configuration for attribute mapping
Not a bug, but certainly a magic assignment that doesn't port across regions/directories doing this and would be something to be edited the moment it's needed.
While appveyor can do CI tests, we need to tell it what to test. I propose these minimal ones:
[ ] validate a signed aggregate can be validated
[ ] validate an aggregate fails signature by bad hash value
[ ] validate an aggregate fails validation due to changes within the signed XML
This may require that we bundle sample tainted aggregates such that the tests are performed ok OR that we have the ability to fetch a signed aggregate and THEN attempt to manipulate THAT one (simply adding a character or changing a space should do) to trigger validation failure.
This is what people see when they type get-help. It should be a bit better.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.