Unsuccessfull Issuance Authorization Rule with regex

时光总嘲笑我的痴心妄想 提交于 2021-01-28 08:38:29

问题


I'm trying to make a Authorization Rule in ADFS 3.0, disabling some users in a specific "OU" form using a "relying party", with no success.

On the Issuance Transform Rules, i've configured the claim "http://schemas.microsoft.com/ws/2008/06/identity/claims/distinguishedname" to get the Distinguished name from AD.

Here is an example: CN=John Doe,OU=XYZ,OU=ABC,DC=CONTOSO,DC=com

This rule should deny access from users in the XPTO OU

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/distinguishedname", Value =~ "^[^,]*,OU=XPTO.*$"]
 => issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "true");

And this rule should permit access for all users outside the XPTO OU

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/distinguishedname", Value !~ "^[^,]*,OU=XPTO.*$"]
 => issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "true");

But, instead these rules grant access to some users and deny others, they deny access to all users

Can you shed some light on this issue?


回答1:


Well, the issue has been resolved.

The problem with this approach, was in the few documentation explaining the Issuance Rules workflow of ADFS Relying Party.

All I had to do was adding a first rule in the Issuance Authorization Rules, getting the user's DN.

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
 => issue(store = "Active Directory", types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/distinguishedname"), query = ";DistinguishedName;{0}", param = c.Value);

Afterwards, the rules described above, worked like a charm.

A few pointers to all experiencing these Authorization configs:

  • If a permit claim is issued, then the user is allways allowed
  • If no permit or deny claims are issued, then the user is denied
  • This approach works when only one Organizational Unit is denied access. For other complex validations, a custom Attribute Store should be used


来源:https://stackoverflow.com/questions/58123989/unsuccessfull-issuance-authorization-rule-with-regex

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!