locked
Best use of AD and groups for SSO with multiple applications RRS feed

  • Question

  • Please excuse if I am posting in the wrong group. I am very much new to AD and struggling with the new implementation for SSO. Below is a quick idea of the implementation. 

    - Have multiple applications to set up SSO using windows ADFS and AD as user directory. Not all the users will be given access to all the applications. Access to respective applications will be given based on the role. I have everybody listed under the Domaintree-> users. How do I control the authentication and authorization based in AD for his/her SSO on to the applications. Let me put this in simple words. 

    Users David, John and Shawn are all listed under Users tree under AD. David has access to Application A, B not C , John has access to B and C, not A and Shawn has access to all apps A,B,C.  With all the users under the same directory, how would I really control the authentication and authorization of the above users to the Apps ? Does my question makes sense in the first place ? 

    Do I have to create dedicated groups for each applications such that when David access A,B he will be granted because he is part of directories A,B and when he is trying to access C he will not be able to because he is not of Group C ? 

    Please help me out. 

    Thanks in advance

    Tuesday, September 19, 2017 8:26 AM

Answers

  • ADFS handles primarily authentication.

    If you are in the domain AD you can authenticate.

    You need to tie the applications to security groups in AD.

    Then you can use access rules in ADFS to state that users can only access application A if they are members of group A.

    The other way is to pass group membership via roles claims (i.e. claims rules) and then the application determines access via IsInRole(Group A).

    Tuesday, September 19, 2017 6:55 PM

All replies

  • ADFS handles primarily authentication.

    If you are in the domain AD you can authenticate.

    You need to tie the applications to security groups in AD.

    Then you can use access rules in ADFS to state that users can only access application A if they are members of group A.

    The other way is to pass group membership via roles claims (i.e. claims rules) and then the application determines access via IsInRole(Group A).

    Tuesday, September 19, 2017 6:55 PM
  • as nzpcmad1 says above. I would create 3 security groups for this example, 'Application A', 'Application B' and 'Application C'. Then depending on the version of ADFS you're using (ADFS2/3 vs ADFS 4) I would either use Issuance Authorization Rules (ADFS 2.x and 3.x) or Access Control Policies (ADFS 4.x) to permit access to the relying party for only the specified security group.

    Regards,

    Enrico

    Wednesday, September 20, 2017 6:43 AM