locked
adfs/portal/updatepassword end Point access for a security Group. RRS feed

  • Question

  • Implemented ADFS 4 (Windows 2016) for testing & that is working fine. Also enabled the "adfs/portal/updatepassword" endpoint & that working as expected.

    Need to restrict that link for an AD security group & only that group should able to access that URL. Could any one suggest how to achieve that !


    AliahMurfy

    Sunday, July 8, 2018 6:51 AM

Answers

  • You could create a dummy RP, publish the URL with a WAP with ADFS pre-auth. This will enable to force a user to authenticate before being able to reach the page. But in that case, the authorization rules won't be honored. Hence, no filter on a group. And the whole thing doesn't make sense then because the point of this page is to be able to change (not RESET, it is not a self reset service) when the user cannot logging because its password has expired. So forcing pre-authentication on the page entirely defeat the purpose :(

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Marked as answer by Aliah Murfy Monday, July 9, 2018 7:01 PM
    • Unmarked as answer by Aliah Murfy Monday, July 9, 2018 7:02 PM
    • Marked as answer by Aliah Murfy Tuesday, July 10, 2018 5:45 PM
    Monday, July 9, 2018 4:39 PM

All replies

  • We can't. What is the scenario here? The idea of this page is to let the user change its password when it has expired. Else the user couldn't go through and consequently not access any application federated with ADFS.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Proposed as answer by Eric Anto Monday, July 9, 2018 6:34 AM
    Sunday, July 8, 2018 8:35 PM
  • Can’t we create a dummy RP for that password portal and assign the same permission which I mentioned ?

    AliahMurfy

    Monday, July 9, 2018 10:26 AM
  • You could create a dummy RP, publish the URL with a WAP with ADFS pre-auth. This will enable to force a user to authenticate before being able to reach the page. But in that case, the authorization rules won't be honored. Hence, no filter on a group. And the whole thing doesn't make sense then because the point of this page is to be able to change (not RESET, it is not a self reset service) when the user cannot logging because its password has expired. So forcing pre-authentication on the page entirely defeat the purpose :(

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Marked as answer by Aliah Murfy Monday, July 9, 2018 7:01 PM
    • Unmarked as answer by Aliah Murfy Monday, July 9, 2018 7:02 PM
    • Marked as answer by Aliah Murfy Tuesday, July 10, 2018 5:45 PM
    Monday, July 9, 2018 4:39 PM
  • Last question on this tread .

    Can I change the port of that portal ?


    AliahMurfy

    Monday, July 9, 2018 7:03 PM
  • You could publish it on an alternate port, but that would also break the redirection (users are redirected to this page automatically when conditions are met). So it would take a proxy in the middle to do the translation etc... I wouldn't even try.

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Monday, July 9, 2018 9:35 PM