locked
ADFS 3.0 Authorization Claims. RRS feed

  • Question

  • Hi,

    I am looking for a custom solution/workaround wherein If in case I have restricted a particular RP to be allowed to certain AD security groups, for rest groups as ADFS will send no claims & hence user will fail to authenticate on Application for any SP initiated application. My ask is,  can we give the custom error message that we get during iDp initiated login, The ADFS Authorization error. 

     Something like 

    Set-AdfsRelyingPartyWebContent -Name "sharepoint" -ErrorPageAuthorizationErrorMessage "< 

    Set-AdfsGlobalWebContent -ErrorPageAuthorizationErrorMessage 



    -Arvind Sindhu Enterprise Arch (Microsoft Technologies) Sapient.

    Wednesday, November 25, 2015 2:58 AM

Answers

  • This is already in place, but my ask was, since a user is part of that security group that is denied access, can we force redirection ot flash a message saying you are not authorized. Post my research & call with MS support, this is something needs to be done at Service Provider ends, where in they just need to decode the SAML response & based on that should display an error message, like in this case we are getting below as SAML response. 

    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:RequestDenied" /> 

    So some customization needs to be done at SP end to interpret SAML response especially StatusCode. 

    The saml responder or the ADFS has to be respond back to a SAML Requester which is the SP/RP/Application. This is specified in SAML 2.0 Specifications: -

     

    Bindings for the OASIS Security Assertion Markup Language (SAML) V2.0

    http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf

     

    3.4.2 Overview

     

    The HTTP Redirect binding is intended for cases in which the SAML requester and responder need to communicate using an HTTP user agent (as defined in HTTP 1.1 [RFC2616]) as an intermediary. This may be necessary, for example, if the communicating parties do not share a direct path of communication. It may also be needed if the responder requires an interaction with the user agent in order to fulfill the request, such as when the user agent must authenticate to it.

     

     

    3.4.6 Error Reporting

    A SAML responder that refuses to perform a message exchange with the SAML requester SHOULD return a SAML response message with a second-level <samlp:StatusCode> value of urn:oasis:names:tc:SAML:2.0:status:RequestDenied.

    HTTP interactions during the message exchange MUST NOT use HTTP error status codes to indicate failures in SAML processing, since the user agent is not a full party to the SAML protocol exchange.

     

    Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0

    http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

     

    3.2.2.1 Element <Status>

    The <Status> element contains the following elements:

    <StatusCode> [Required]

    A code representing the status of the activity carried out in response to the corresponding request.

     

    3.2.2.2 Element <StatusCode>

    The <StatusCode> element specifies a code or a set of nested codes representing the status of the

    corresponding request. The <StatusCode> element has the following element and attribute:

     

    urn:oasis:names:tc:SAML:2.0:status:RequestDenied

    The SAML responder or SAML authority is able to process the request but has chosen not to respond. This status code MAY be used when there is concern about the security context of the request

    message or the sequence of request messages received from a particular requester.

     

    The application should be able to understand/interpret the SAML Response and convey a message accordingly to the user on the web page.


    -Arvind Sindhu Enterprise Arch (Microsoft Technologies) Sapient.

    Thursday, November 26, 2015 2:53 AM

All replies

  • You can create an authorization rule on the relying party trust that deny access if a user us a member of a specific group in AD. Here is a quick example:

    First make sure you are passing the Group SID claim from AD to the claim pipeline:

    Then on the relying party trust, Edit the claims rule as per this example:

    This should do the trick. Let us know how it goes!


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Wednesday, November 25, 2015 11:13 PM
  • This is already in place, but my ask was, since a user is part of that security group that is denied access, can we force redirection ot flash a message saying you are not authorized. Post my research & call with MS support, this is something needs to be done at Service Provider ends, where in they just need to decode the SAML response & based on that should display an error message, like in this case we are getting below as SAML response. 

    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:RequestDenied" /> 

    So some customization needs to be done at SP end to interpret SAML response especially StatusCode. 

    The saml responder or the ADFS has to be respond back to a SAML Requester which is the SP/RP/Application. This is specified in SAML 2.0 Specifications: -

     

    Bindings for the OASIS Security Assertion Markup Language (SAML) V2.0

    http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf

     

    3.4.2 Overview

     

    The HTTP Redirect binding is intended for cases in which the SAML requester and responder need to communicate using an HTTP user agent (as defined in HTTP 1.1 [RFC2616]) as an intermediary. This may be necessary, for example, if the communicating parties do not share a direct path of communication. It may also be needed if the responder requires an interaction with the user agent in order to fulfill the request, such as when the user agent must authenticate to it.

     

     

    3.4.6 Error Reporting

    A SAML responder that refuses to perform a message exchange with the SAML requester SHOULD return a SAML response message with a second-level <samlp:StatusCode> value of urn:oasis:names:tc:SAML:2.0:status:RequestDenied.

    HTTP interactions during the message exchange MUST NOT use HTTP error status codes to indicate failures in SAML processing, since the user agent is not a full party to the SAML protocol exchange.

     

    Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0

    http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

     

    3.2.2.1 Element <Status>

    The <Status> element contains the following elements:

    <StatusCode> [Required]

    A code representing the status of the activity carried out in response to the corresponding request.

     

    3.2.2.2 Element <StatusCode>

    The <StatusCode> element specifies a code or a set of nested codes representing the status of the

    corresponding request. The <StatusCode> element has the following element and attribute:

     

    urn:oasis:names:tc:SAML:2.0:status:RequestDenied

    The SAML responder or SAML authority is able to process the request but has chosen not to respond. This status code MAY be used when there is concern about the security context of the request

    message or the sequence of request messages received from a particular requester.

     

    The application should be able to understand/interpret the SAML Response and convey a message accordingly to the user on the web page.


    -Arvind Sindhu Enterprise Arch (Microsoft Technologies) Sapient.

    Thursday, November 26, 2015 2:53 AM