LDAP Custom Attribute Store for ADFS 2.0

Installation of the LDAP Custom Attribute Store

First, download the last version of the solution. You can download the source code or the compilated dll (LDAPAttributeStore.dll)
Copy and paste the LDAPAttributeStore.dll into the %systemdrive%\Program Files\Active Directory Federation Services 2.0\ directory
Open the ADFS Management Console, and add a "Custom Attribute Store" in the "Attribute Store" section :
  • DisplayName : LDAP Attribute Store
  • Custom Attribute Store Class Name : LDAPAttributeStore.LDAPAttributeStore, LDAPAttributeStore
  • Optional Initialization Parameter :
    • servername : IP address or name of your LDAP Server (ex :, ldapserver, ldapserver.contoso.local)
    • port : your ldap tcp port (ex : 389, 636)
    • username : the DN of a user that have the required right to read objects in your LDAP organization (ex : uid=org_read,ou=users,o=system)
    • password : the password of the previous user, base64 encoded
    • secured : if true, use ldaps. If false, use ldap. (true / fase)
    • root : the node where the search will start (ex : o=myorganization). This attribute is not mandatory. If root is empty or not present, the search will start at the root of the organization.
    • objectClass : the class of your user object in your LDAP Directory (user, person, inetOrgPerson ...) : this parameter is deprecated since the version 2.0

You can use powershell to configure your new Custom Attribute Store. First, add the ADFS PowerShell snap-in :
Add-PSSnapin Microsoft.Adfs.PowerShell

Then, add your custom attribute store :
Add-ADFSAttributeStore -Configuration <hashtable> -Name <string> -TypeQualifiedName <string> [-Confirm]

For example :
Add-ADFSAttributeStore -Name myLDAPAttributeStore -TypeQualifiedName  'LDAPAttributeStore.LDAPAttributeStore, LDAPAttributeStore' -Configuration @{"servername" = "myldapserver.contoso.com" ; "port" = "50002" ; "username" = "cn=org_read,cn=system,o=myOrganization,c=fr" ; "password" = "UEBzc3cwcmQ=" ; "secured" = "false" ; "root" = "o=myOrganization,c=fr"  } -Confirm

How to query the custom LDAP Attribute Store

With this Attribute Store, you can query for attributes objects of a specific class. The format of the query is as the following :
query = <LDAPfilter>;<attributelist>
  • filter : the attribute that contains the source <value>
  • attributelist : the list of attributes you want to query
For example :
query = "(&(objectclass=user)(SAMAccountname={0}));UserPrincipalName", param = c.Value

You can then write your custom claims rule. For example :
Find in the ldap store the mail and the uid of an user, and add those values to the email and ppid claims. For this example, cn of the user in the ldap store is the samaccountname of the user in Active Directory :
 c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
 => issue(store = "myLDAPAttributeStore", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier"), query = "(&(objectclass=user)(cn={0}));mail,uid", param = c.Value ); 

Last edited Oct 21, 2013 at 11:51 AM by olivierdx, version 7


No comments yet.