protected override void FillClaimsForEntity(Uri context, SPClaim entity, SPClaimProviderContext claimProviderContext, List<SPClaim> claims) { Augment(context, entity, claimProviderContext, claims); }
protected override void FillClaimsForEntity(Uri context, SPClaim entity, SPClaimProviderContext claimProviderContext, List <SPClaim> claims) { //base.FillClaimsForEntity(context, entity, claimProviderContext, claims); string provider = entity.OriginalIssuer.ToLower(); //if (entity.Value.Contains("zimbramembershipprovider") || entity.Value.Contains("zimbraroleprovider")) //if((entity.OriginalIssuer.Contains("ZimbraClaimProvider")) || (entity.Value.Contains("zimbramembershipprovider")) || (entity.Value.Contains("zimbraroleprovider"))) //if (provider.Contains("zimbramembershipprovider") || provider.Contains("zimbraroleprovider") || provider.Contains("zimbraclaimprovider") || provider.Contains("securitytokenservice")) if (provider.Contains("zimbraclaimprovider") || (provider.Contains("securitytokenservice") && entity.Value.Contains("zimbraclaimprovider"))) { //0#.f|zimbramembershipprovider|12073385 string identifier = entity.Value.Split('|').Last(); MembershipUser user; if (!string.IsNullOrWhiteSpace(identifier)) { user = Provider.GetUser(identifier, true); } else { user = Provider.GetUser(entity.Value, true); } ZimbraMembershipUser zuser = null; if (user != null && user.GetType() == typeof(ZimbraMembershipUser)) { zuser = user as ZimbraMembershipUser; } if (zuser != null) { Type tuser = zuser.GetType(); PropertyInfo[] properties = tuser.GetProperties(); IEnumerable <ZimbraClaim> zimbraClaims = ZimbraClaimsMapped.Claims.Where(x => x.ClaimTypeValue != null); foreach (ZimbraClaim claim in zimbraClaims) { PropertyInfo propertyInfo = properties.SingleOrDefault(p => p.Name == claim.Name); if (propertyInfo != null && propertyInfo.Name == claim.Name) { if (propertyInfo.PropertyType == typeof(string)) { string value = propertyInfo.GetValue(zuser) as string; if (!string.IsNullOrWhiteSpace(value)) { SPClaim spclaim = CreateClaim(claim.ClaimType, value, claim.ClaimTypeValue); if (!claims.Contains(spclaim)) { claims.Add(spclaim); } } } else { IList values = (IList)propertyInfo.GetValue(zuser); if (values != null) { foreach (string value in values) { if (!string.IsNullOrWhiteSpace(value)) { SPClaim spclaim = CreateClaim(claim.ClaimType, value, claim.ClaimTypeValue); if (!claims.Contains(spclaim)) { claims.Add(spclaim); } } } } } } } } } }
/// <summary> /// Perform augmentation of entity supplied /// </summary> /// <param name="context"></param> /// <param name="entity">entity to augment</param> /// <param name="claimProviderContext">Can be null</param> /// <param name="claims"></param> protected virtual void Augment(Uri context, SPClaim entity, SPClaimProviderContext claimProviderContext, List<SPClaim> claims) { // Augment role claims of current user AzureCPLogging.Log(String.Format("[{0}] FillClaimsForEntity called, incoming envity: \"{1}\", claim type: \"{2}\", claim issuer: \"{3}\"", ProviderInternalName, entity.Value, entity.ClaimType, entity.OriginalIssuer), TraceSeverity.VerboseEx, EventSeverity.Information, AzureCPLogging.Categories.Claims_Augmentation); SPSecurity.RunWithElevatedPrivileges(delegate () { if (!Initialize(context, null)) return; this.Lock_Config.EnterReadLock(); try { if (!this.CurrentConfiguration.AugmentAADRoles) return; // Check if there are groups to add in SAML token var groups = this.ProcessedAzureObjects.FindAll(x => x.ClaimEntityType == SPClaimEntityTypes.FormsRole); if (groups.Count == 0) { AzureCPLogging.Log(String.Format("[{0}] No object with ClaimEntityType = SPClaimEntityTypes.FormsRole found.", ProviderInternalName), TraceSeverity.Unexpected, EventSeverity.Error, AzureCPLogging.Categories.Claims_Augmentation); return; } if (groups.Count != 1) { AzureCPLogging.Log(String.Format("[{0}] Found \"{1}\" objects configured with ClaimEntityType = SPClaimEntityTypes.FormsRole, instead of 1 expected.", ProviderInternalName), TraceSeverity.Unexpected, EventSeverity.Error, AzureCPLogging.Categories.Claims_Augmentation); return; } AzureADObject groupObject = groups.First(); SPClaim curUser; if (SPClaimProviderManager.IsUserIdentifierClaim(entity)) curUser = SPClaimProviderManager.DecodeUserIdentifierClaim(entity); else { if (SPClaimProviderManager.IsEncodedClaim(entity.Value)) curUser = SPClaimProviderManager.Local.DecodeClaim(entity.Value); else curUser = entity; } SPOriginalIssuerType loginType = SPOriginalIssuers.GetIssuerType(curUser.OriginalIssuer); if (loginType == SPOriginalIssuerType.TrustedProvider || loginType == SPOriginalIssuerType.ClaimProvider) { string input = curUser.Value; // Get user in AAD from UPN claim type List<AzureADObject> identityObjects = ProcessedAzureObjects.FindAll(x => String.Equals(x.ClaimType, IdentityAzureObject.ClaimType, StringComparison.InvariantCultureIgnoreCase) && !x.CreateAsIdentityClaim); if (identityObjects.Count != 1) { // Expect only 1 object with claim type UPN AzureCPLogging.Log(String.Format("[{0}] Found \"{1}\" objects configured with identity claim type {2} and CreateAsIdentityClaim set to false, instead of 1 expected.", ProviderInternalName, identityObjects.Count, IdentityAzureObject.ClaimType), TraceSeverity.Unexpected, EventSeverity.Error, AzureCPLogging.Categories.Claims_Augmentation); return; } AzureADObject identityObject = identityObjects.First(); List<AzurecpResult> results = new List<AzurecpResult>(); BuildFilterAndProcessResults(input, identityObjects, true, context, null, ref results); if (results.Count == 0) { // User not found AzureCPLogging.Log(String.Format("[{0}] User with {1}='{2}' was not found in Azure tenant(s).", ProviderInternalName, identityObject.GraphProperty.ToString(), input), TraceSeverity.Verbose, EventSeverity.Information, AzureCPLogging.Categories.Claims_Augmentation); return; } else if (results.Count != 1) { // Expect only 1 user AzureCPLogging.Log(String.Format("[{0}] Found \"{1}\" users with {2}='{3}' instead of 1 expected, aborting augmentation.", ProviderInternalName, results.Count, identityObject.GraphProperty.ToString(), input), TraceSeverity.Unexpected, EventSeverity.Error, AzureCPLogging.Categories.Claims_Augmentation); return; } AzurecpResult result = results.First(); // Get groups this user is member of from his Azure tenant AzureTenant userTenant = this.CurrentConfiguration.AzureTenants.First(x => String.Equals(x.TenantId, result.TenantId, StringComparison.InvariantCultureIgnoreCase)); AzureCPLogging.Log(String.Format("[{0}] Getting membership of user \"{1}\" on tenant {2}", ProviderInternalName, input, userTenant.TenantName), TraceSeverity.Verbose, EventSeverity.Information, AzureCPLogging.Categories.Claims_Augmentation); List<AzurecpResult> userMembership = GetUserMembership(result.DirectoryObjectResult as User, userTenant); foreach (AzurecpResult groupResult in userMembership) { Group group = groupResult.DirectoryObjectResult as Group; SPClaim claim = CreateClaim(groupObject.ClaimType, group.DisplayName, groupObject.ClaimValueType); claims.Add(claim); AzureCPLogging.Log(String.Format("[{0}] user {1} augmented with Azure AD group \"{2}\" (claim type {3}).", ProviderInternalName, input, group.DisplayName, groupObject.ClaimType), TraceSeverity.Medium, EventSeverity.Information, AzureCPLogging.Categories.Claims_Augmentation); } //foreach (Role role in userMembership.Roles) //{ // // Azure AD fixed Organizational roles (global admin, billing admin, service admin, user admin, password admin) // SPClaim claim = CreateClaim(groupObject.ClaimType, role.DisplayName, groupObject.ClaimValueType, false); // claims.Add(claim); // AzureCPLogging.Log(String.Format("[{0}] user {1} augmented with Azure AD role \"{2}\" (claim type {3}).", ProviderInternalName, input, role.DisplayName, groupObject.ClaimType), // TraceSeverity.Medium, EventSeverity.Information, AzureCPLogging.Categories.Claims_Augmentation); //} } } catch (Exception ex) { AzureCPLogging.LogException(ProviderInternalName, "in FillClaimsForEntity", AzureCPLogging.Categories.Claims_Augmentation, ex); } finally { this.Lock_Config.ExitReadLock(); } }); }