1. 技术文章
  2. Restricting ADFS 2.0 to use a specific OU instead of Domain level access

Restricting ADFS 2.0 to use a specific OU instead of Domain level access

走远了吗. 提交于 2020-01-13 17:59:21

问题


Consider the below Sample Scenario:

  • I have a Single Active Directory Domain for Production, Test and for development (each separated at OU level).
  • I want to install ADFS at test OU level and I do not want users authenticated at test OU ADFS to have access (both read and write) to other OU's.

Can this be possible ? Can we restrict ADFS 2.0 to work only under a particular OU ?


回答1:


Though restricting ADFS 2.0 to work under a specific OU is not feasible (from the resources I read and IMHO), we can restrict the user access within a specific OU.

This can be accomplished in two steps:

  1. Add a claim rule to extract AD object DN.

    • To extract this claim, from ADFS admin console, go to ADFS 2.0 - > Trust Relationship -> Claims provider Trusts -> Click on the Active Directory -> Edit claim rules.

    • Under acceptance transformation rule, add a new rule

           Claim rule name – DN (can be anything)
       LDAP Attribute – distinguishedname 
       Outgoing claim type – http://temp.org/claims/DistinguishedName

    • This will extract the DN of each object in the AD

  2. Add a new authorization rule (in relying party trust of the required application) to allow users from a particular OU to access the application.

    • Go to ADFS admin console -> Trust Relationship ->Relying party trusts -> Select the application -> Edit claim rules

    • Under Issuance authorization rules (second tab), remove the existing rule “ Allow all users” (if any) and add a new rule under - Send claims using a custom rule: Name: XXX (any value)

    Custome rule: 

c:[Type == "http://temp.org/claims/DistinguishedName", Value =~"^.*    (OU=EMPLOYEES,OU=Org-Users,DC=ADCORP,DC=LAB)$"] => issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "PermitUsersWithClaim");

    For example: Users in OU=Users,OU=EMPLOYEES,OU=Org-users,DC=ADCORP,DC=LAB would have access

    Users in OU=Admins,OU=EMPLOYEES,OU=Org-Users,DC=ADCORP,DC=LAB would have access

    Users in OU=Users,OU=CONTRACTORS,OU=Org-Users,DC=ADCORP,DC=LAB would NOT have access

For more details about adding DN, please refer to this link and for details about adding the custom rule, refer to the msdn post.




回答2:


Would it be possible to reverse the restrictions? So instead of allowing just 1 OU at a time could you allow everyone but one?

So the string could be

C:[Type == "http://temp.org/claims/DistinguishedName", Value =~"^.* (OU=EMPLOYEES,OU=Org-Users,DC=ADCORP,DC=LAB)$"] => issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "PermitUsersWithClaim");

This way everyone but the Employees OU would have access.



来源:https://stackoverflow.com/questions/15352332/restricting-adfs-2-0-to-use-a-specific-ou-instead-of-domain-level-access

标签
ASP.NET
wif
adfs2.0
adfs
claims
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!