问题
I'm trying to make a Authorization Rule in ADFS 3.0, disabling some users in a specific "OU" form using a "relying party", with no success.
On the Issuance Transform Rules, i've configured the claim "http://schemas.microsoft.com/ws/2008/06/identity/claims/distinguishedname" to get the Distinguished name from AD.
Here is an example: CN=John Doe,OU=XYZ,OU=ABC,DC=CONTOSO,DC=com
This rule should deny access from users in the XPTO OU
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/distinguishedname", Value =~ "^[^,]*,OU=XPTO.*$"]
=> issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "true");
And this rule should permit access for all users outside the XPTO OU
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/distinguishedname", Value !~ "^[^,]*,OU=XPTO.*$"]
=> issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "true");
But, instead these rules grant access to some users and deny others, they deny access to all users
Can you shed some light on this issue?
回答1:
Well, the issue has been resolved.
The problem with this approach, was in the few documentation explaining the Issuance Rules workflow of ADFS Relying Party.
All I had to do was adding a first rule in the Issuance Authorization Rules, getting the user's DN.
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/distinguishedname"), query = ";DistinguishedName;{0}", param = c.Value);
Afterwards, the rules described above, worked like a charm.
A few pointers to all experiencing these Authorization configs:
- If a permit claim is issued, then the user is allways allowed
- If no permit or deny claims are issued, then the user is denied
- This approach works when only one Organizational Unit is denied access. For other complex validations, a custom Attribute Store should be used
来源:https://stackoverflow.com/questions/58123989/unsuccessfull-issuance-authorization-rule-with-regex