protected override void FillClaimsForEntity(Uri context, SPClaim entity, SPClaimProviderContext claimProviderContext, List<SPClaim> claims)
{
Augment(context, entity, claimProviderContext, claims);
}
protected override void FillClaimsForEntity(Uri context, SPClaim entity, SPClaimProviderContext claimProviderContext, List <SPClaim> claims)
{
//base.FillClaimsForEntity(context, entity, claimProviderContext, claims);
string provider = entity.OriginalIssuer.ToLower();
//if (entity.Value.Contains("zimbramembershipprovider") || entity.Value.Contains("zimbraroleprovider"))
//if((entity.OriginalIssuer.Contains("ZimbraClaimProvider")) || (entity.Value.Contains("zimbramembershipprovider")) || (entity.Value.Contains("zimbraroleprovider")))
//if (provider.Contains("zimbramembershipprovider") || provider.Contains("zimbraroleprovider") || provider.Contains("zimbraclaimprovider") || provider.Contains("securitytokenservice"))
if (provider.Contains("zimbraclaimprovider") || (provider.Contains("securitytokenservice") && entity.Value.Contains("zimbraclaimprovider")))
{
//0#.f|zimbramembershipprovider|12073385
string identifier = entity.Value.Split('|').Last();
MembershipUser user;
if (!string.IsNullOrWhiteSpace(identifier))
{
user = Provider.GetUser(identifier, true);
}
else
{
user = Provider.GetUser(entity.Value, true);
}
ZimbraMembershipUser zuser = null;
if (user != null && user.GetType() == typeof(ZimbraMembershipUser))
{
zuser = user as ZimbraMembershipUser;
}
if (zuser != null)
{
Type tuser = zuser.GetType();
PropertyInfo[] properties = tuser.GetProperties();
IEnumerable <ZimbraClaim> zimbraClaims = ZimbraClaimsMapped.Claims.Where(x => x.ClaimTypeValue != null);
foreach (ZimbraClaim claim in zimbraClaims)
{
PropertyInfo propertyInfo = properties.SingleOrDefault(p => p.Name == claim.Name);
if (propertyInfo != null && propertyInfo.Name == claim.Name)
{
if (propertyInfo.PropertyType == typeof(string))
{
string value = propertyInfo.GetValue(zuser) as string;
if (!string.IsNullOrWhiteSpace(value))
{
SPClaim spclaim = CreateClaim(claim.ClaimType, value, claim.ClaimTypeValue);
if (!claims.Contains(spclaim))
{
claims.Add(spclaim);
}
}
}
else
{
IList values = (IList)propertyInfo.GetValue(zuser);
if (values != null)
{
foreach (string value in values)
{
if (!string.IsNullOrWhiteSpace(value))
{
SPClaim spclaim = CreateClaim(claim.ClaimType, value, claim.ClaimTypeValue);
if (!claims.Contains(spclaim))
{
claims.Add(spclaim);
}
}
}
}
}
}
}
}
}
}
/// <summary>
/// Perform augmentation of entity supplied
/// </summary>
/// <param name="context"></param>
/// <param name="entity">entity to augment</param>
/// <param name="claimProviderContext">Can be null</param>
/// <param name="claims"></param>
protected virtual void Augment(Uri context, SPClaim entity, SPClaimProviderContext claimProviderContext, List<SPClaim> claims)
{
// Augment role claims of current user
AzureCPLogging.Log(String.Format("[{0}] FillClaimsForEntity called, incoming envity: \"{1}\", claim type: \"{2}\", claim issuer: \"{3}\"", ProviderInternalName, entity.Value, entity.ClaimType, entity.OriginalIssuer),
TraceSeverity.VerboseEx, EventSeverity.Information, AzureCPLogging.Categories.Claims_Augmentation);
SPSecurity.RunWithElevatedPrivileges(delegate ()
{
if (!Initialize(context, null))
return;
this.Lock_Config.EnterReadLock();
try
{
if (!this.CurrentConfiguration.AugmentAADRoles)
return;
// Check if there are groups to add in SAML token
var groups = this.ProcessedAzureObjects.FindAll(x => x.ClaimEntityType == SPClaimEntityTypes.FormsRole);
if (groups.Count == 0)
{
AzureCPLogging.Log(String.Format("[{0}] No object with ClaimEntityType = SPClaimEntityTypes.FormsRole found.", ProviderInternalName),
TraceSeverity.Unexpected, EventSeverity.Error, AzureCPLogging.Categories.Claims_Augmentation);
return;
}
if (groups.Count != 1)
{
AzureCPLogging.Log(String.Format("[{0}] Found \"{1}\" objects configured with ClaimEntityType = SPClaimEntityTypes.FormsRole, instead of 1 expected.", ProviderInternalName),
TraceSeverity.Unexpected, EventSeverity.Error, AzureCPLogging.Categories.Claims_Augmentation);
return;
}
AzureADObject groupObject = groups.First();
SPClaim curUser;
if (SPClaimProviderManager.IsUserIdentifierClaim(entity))
curUser = SPClaimProviderManager.DecodeUserIdentifierClaim(entity);
else
{
if (SPClaimProviderManager.IsEncodedClaim(entity.Value))
curUser = SPClaimProviderManager.Local.DecodeClaim(entity.Value);
else
curUser = entity;
}
SPOriginalIssuerType loginType = SPOriginalIssuers.GetIssuerType(curUser.OriginalIssuer);
if (loginType == SPOriginalIssuerType.TrustedProvider || loginType == SPOriginalIssuerType.ClaimProvider)
{
string input = curUser.Value;
// Get user in AAD from UPN claim type
List<AzureADObject> identityObjects = ProcessedAzureObjects.FindAll(x =>
String.Equals(x.ClaimType, IdentityAzureObject.ClaimType, StringComparison.InvariantCultureIgnoreCase) &&
!x.CreateAsIdentityClaim);
if (identityObjects.Count != 1)
{
// Expect only 1 object with claim type UPN
AzureCPLogging.Log(String.Format("[{0}] Found \"{1}\" objects configured with identity claim type {2} and CreateAsIdentityClaim set to false, instead of 1 expected.", ProviderInternalName, identityObjects.Count, IdentityAzureObject.ClaimType),
TraceSeverity.Unexpected, EventSeverity.Error, AzureCPLogging.Categories.Claims_Augmentation);
return;
}
AzureADObject identityObject = identityObjects.First();
List<AzurecpResult> results = new List<AzurecpResult>();
BuildFilterAndProcessResults(input, identityObjects, true, context, null, ref results);
if (results.Count == 0)
{
// User not found
AzureCPLogging.Log(String.Format("[{0}] User with {1}='{2}' was not found in Azure tenant(s).", ProviderInternalName, identityObject.GraphProperty.ToString(), input),
TraceSeverity.Verbose, EventSeverity.Information, AzureCPLogging.Categories.Claims_Augmentation);
return;
}
else if (results.Count != 1)
{
// Expect only 1 user
AzureCPLogging.Log(String.Format("[{0}] Found \"{1}\" users with {2}='{3}' instead of 1 expected, aborting augmentation.", ProviderInternalName, results.Count, identityObject.GraphProperty.ToString(), input),
TraceSeverity.Unexpected, EventSeverity.Error, AzureCPLogging.Categories.Claims_Augmentation);
return;
}
AzurecpResult result = results.First();
// Get groups this user is member of from his Azure tenant
AzureTenant userTenant = this.CurrentConfiguration.AzureTenants.First(x => String.Equals(x.TenantId, result.TenantId, StringComparison.InvariantCultureIgnoreCase));
AzureCPLogging.Log(String.Format("[{0}] Getting membership of user \"{1}\" on tenant {2}", ProviderInternalName, input, userTenant.TenantName),
TraceSeverity.Verbose, EventSeverity.Information, AzureCPLogging.Categories.Claims_Augmentation);
List<AzurecpResult> userMembership = GetUserMembership(result.DirectoryObjectResult as User, userTenant);
foreach (AzurecpResult groupResult in userMembership)
{
Group group = groupResult.DirectoryObjectResult as Group;
SPClaim claim = CreateClaim(groupObject.ClaimType, group.DisplayName, groupObject.ClaimValueType);
claims.Add(claim);
AzureCPLogging.Log(String.Format("[{0}] user {1} augmented with Azure AD group \"{2}\" (claim type {3}).", ProviderInternalName, input, group.DisplayName, groupObject.ClaimType),
TraceSeverity.Medium, EventSeverity.Information, AzureCPLogging.Categories.Claims_Augmentation);
}
//foreach (Role role in userMembership.Roles)
//{
// // Azure AD fixed Organizational roles (global admin, billing admin, service admin, user admin, password admin)
// SPClaim claim = CreateClaim(groupObject.ClaimType, role.DisplayName, groupObject.ClaimValueType, false);
// claims.Add(claim);
// AzureCPLogging.Log(String.Format("[{0}] user {1} augmented with Azure AD role \"{2}\" (claim type {3}).", ProviderInternalName, input, role.DisplayName, groupObject.ClaimType),
// TraceSeverity.Medium, EventSeverity.Information, AzureCPLogging.Categories.Claims_Augmentation);
//}
}
}
catch (Exception ex)
{
AzureCPLogging.LogException(ProviderInternalName, "in FillClaimsForEntity", AzureCPLogging.Categories.Claims_Augmentation, ex);
}
finally
{
this.Lock_Config.ExitReadLock();
}
});
}
