search

X-Guardian / AdfsDsc

DSC resources for deployment and configuration of Active Directory Federation Services
MIT License
9 stars 5 forks source link

AdfsWebApiApplication fails Test for CustomClaims IssuanceTransformRules #57

Closed heinejeppesen closed 1 year ago

heinejeppesen commented 1 year ago

Hi,

I'm trying to setup a WebApi application, which just works great. But the test always comes back as non-compliant, but the verbose logs shows absolutely nothing to be non compliant.

After digging into the module, I found the issue - I create two IssuanceTransformRules using the module, which works great. But evaluating if there are two rules - with only one rule, it works fine.

I tried outputting the content of $propertiesNotInDesiredState as it had a count of 1, where I expected 0.

VERBOSE: [ADFS001]: [[AdfsWebApiApplication]afmotorWebAPI] Testing: 1 VERBOSE: [ADFS001]: [[AdfsWebApiApplication]afmotorWebAPI] key Expected ParameterName InDesiredState Actual Microsoft.Management.Infrastructure.CimInstance[] IssuanceTransformRules False Microsoft.Management. Infrastructure.CimInstance[]

To me, it seems the compare function can't handle multiple instances of IssuanceTransformRules

My two rules are:

       IssuanceTransformRules        = @(
          MSFT_AdfsIssuanceTransformRule
           {
               TemplateName = 'CustomClaims'
               Name         = 'Issue NameIdentifier'
               CustomRule   = 'c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"), query = ";givenName;{0}", param = c.Value);'

           }
           MSFT_AdfsIssuanceTransformRule
           {
               TemplateName       = 'EmitGroupClaims'
               Name               = 'GroupClaims'
               GroupName          = "SendingGroup"
               OutgoingClaimType  = 'http://schemas.xmlsoap.org/claims/Group'
               OutgoingClaimValue = 'Smurf'
           }
       )
X-Guardian commented 1 year ago

Hi @heinejeppesen. It sounds like there is a bug in the Test-DscPropertyState function, probably in the array compare logic here.

If you run Start-DscConfiguration on your config with the -debug option and post the output, it may help us see what the issue is. I want to see the debug output of this code.

X-Guardian commented 1 year ago

I've investigated this issue, and the problem is not due to the multiple rules, it is a bug with the comparison of CustomClaims IssuanceTransformRules.