Consider the below Sample Scenario:
- I have a Single Active Directory Domain for Production, Test and for development (each separated at OU level).
- I want to install ADFS at test OU level and I do not want users authenticated at test OU ADFS to have access (both read and write) to other OU's.
Can this be possible ? Can we restrict ADFS 2.0 to work only under a particular OU ?
Though restricting ADFS 2.0 to work under a specific OU is not feasible (from the resources I read and IMHO), we can restrict the user access within a specific OU.
This can be accomplished in two steps:
Add a claim rule to extract AD object DN.
• To extract this claim, from ADFS admin console, go to ADFS 2.0 - >
Trust Relationship -> Claims provider Trusts -> Click on the Active
Directory -> Edit claim rules.
• Under acceptance transformation
rule, add a new rule
Claim rule name – DN (can be anything)
LDAP Attribute – distinguishedname
Outgoing claim type – http://temp.org/claims/DistinguishedName
• This will extract the DN of each object in the AD
Add a new authorization rule (in relying party trust of the required application) to allow users from a particular OU to access the application.
• Go to ADFS admin console -> Trust Relationship ->Relying party trusts -> Select the application -> Edit claim rules
• Under Issuance authorization rules (second tab), remove the existing rule “ Allow all users” (if any) and add a new rule under - Send claims using a custom rule:
Name: XXX (any value)
Custome rule:
c:[Type == "http://temp.org/claims/DistinguishedName", Value =~"^.* (OU=EMPLOYEES,OU=Org-Users,DC=ADCORP,DC=LAB)$"] => issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "PermitUsersWithClaim");
For example:
Users in OU=Users,OU=EMPLOYEES,OU=Org-users,DC=ADCORP,DC=LAB would have access
Users in OU=Admins,OU=EMPLOYEES,OU=Org-Users,DC=ADCORP,DC=LAB would have access
Users in OU=Users,OU=CONTRACTORS,OU=Org-Users,DC=ADCORP,DC=LAB would NOT have access
For more details about adding DN, please refer to this link and for details about adding the custom rule, refer to the msdn post.
Would it be possible to reverse the restrictions? So instead of allowing just 1 OU at a time could you allow everyone but one?
So the string could be
C:[Type == "http://temp.org/claims/DistinguishedName", Value =~"^.* (OU=EMPLOYEES,OU=Org-Users,DC=ADCORP,DC=LAB)$"] => issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "PermitUsersWithClaim");
This way everyone but the Employees OU would have access.