Restricting ADFS 2.0 to use a specific OU instead

2019-05-13 19:05发布

问题:

Consider the below Sample Scenario:

  • I have a Single Active Directory Domain for Production, Test and for development (each separated at OU level).
  • I want to install ADFS at test OU level and I do not want users authenticated at test OU ADFS to have access (both read and write) to other OU's.

Can this be possible ? Can we restrict ADFS 2.0 to work only under a particular OU ?

回答1:

Though restricting ADFS 2.0 to work under a specific OU is not feasible (from the resources I read and IMHO), we can restrict the user access within a specific OU.

This can be accomplished in two steps:

  1. Add a claim rule to extract AD object DN.

    • To extract this claim, from ADFS admin console, go to ADFS 2.0 - > Trust Relationship -> Claims provider Trusts -> Click on the Active Directory -> Edit claim rules.

    • Under acceptance transformation rule, add a new rule

           Claim rule name – DN (can be anything)
           LDAP Attribute – distinguishedname 
           Outgoing claim type – http://temp.org/claims/DistinguishedName 
    

    • This will extract the DN of each object in the AD

  2. Add a new authorization rule (in relying party trust of the required application) to allow users from a particular OU to access the application.

    • Go to ADFS admin console -> Trust Relationship ->Relying party trusts -> Select the application -> Edit claim rules

    • Under Issuance authorization rules (second tab), remove the existing rule “ Allow all users” (if any) and add a new rule under - Send claims using a custom rule: Name: XXX (any value)

    Custome rule: 
    
    c:[Type == "http://temp.org/claims/DistinguishedName", Value =~"^.*    (OU=EMPLOYEES,OU=Org-Users,DC=ADCORP,DC=LAB)$"] => issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "PermitUsersWithClaim");
    

    For example: Users in OU=Users,OU=EMPLOYEES,OU=Org-users,DC=ADCORP,DC=LAB would have access

    Users in OU=Admins,OU=EMPLOYEES,OU=Org-Users,DC=ADCORP,DC=LAB would have access

    Users in OU=Users,OU=CONTRACTORS,OU=Org-Users,DC=ADCORP,DC=LAB would NOT have access

For more details about adding DN, please refer to this link and for details about adding the custom rule, refer to the msdn post.



回答2:

Would it be possible to reverse the restrictions? So instead of allowing just 1 OU at a time could you allow everyone but one?

So the string could be

C:[Type == "http://temp.org/claims/DistinguishedName", Value =~"^.* (OU=EMPLOYEES,OU=Org-Users,DC=ADCORP,DC=LAB)$"] => issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "PermitUsersWithClaim");

This way everyone but the Employees OU would have access.