locked
Permit ADFS Authentication only to particular group when access through WAP Server RRS feed

  • Question

  • Hello All,

    We have configured the ADFS 3.0 farm which is in windows 2012 R2 and ADFS web Proxy which is in windows 2012 R2 for Identity federation. Configured the ADFS to use alternative login as email address.

    We have tested the authentication using the test url " https://fqdn.domain.com/adfs/ls/IdpInitiatedSignon.aspx" and we are successfully log into the portal using email address. We have tested the email address login through both with internal which is directly to adfs server and external which is through Proxy server.

    Now we want to limit the external access authentication to the adfs which is through proxy to some users in a group.

    Our requirement is to limit and allow only some group of users to authenticate when the request is coming from proxy server or external. All users are permitted when the access is through internal or directly through ADFS.

    How can we configure and how can be test with test url as we don't have any relaying party configured.

    If any document for configuring , please share or please assist me to configure the same and test

    Thanks in advance.
    Tuesday, January 2, 2018 7:05 PM

Answers

  • Hello All,

    This can be achieved by creating 

    1. Claim rule for Proxy which Pass through all claim value

    2. Claim rules for Relying Part TrustRelationships

    Create a Claims Provider trust rule for Active Directory in ADFS Trust Relation Ship

    - Navigate to ADFS Management > TrustRelationships> Claims Provider trust 
    - Select Active Directory and right click for edit claim rules
    - Add Rules
    - Claim rule template = "Pass Through or Filter an Incoming Claim" and Next
    - Claim Rule name = xxxxxxxxxxx
    - Incoming claim type: Select "Proxy", Pass through all claim value and Finish


    Claim rules for Relying Part TrustRelationships

    - Navigate to ADFS Management > TrustRelationships> Relying Party TrustRelationships
    - Select the appropriate Relying Party Trust > right click and edit claim rules
    - Select Issuance Authorization Rules
    - Add Rules
    - Claim rule template = "Send Claims Using a Custom Rule" and Next
    - Claim Rule name = xxxxxxxxx
    - Paste the below custom rule for allowing authentication to ADFS through external (using WAP) only for particular group

    exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"]) &&
    NOT exists([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value =~ "S-1-5-21-3727275606-2887824355-1048903388-1120"])
    => issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "true");

    - Apply and OK

    -- Move the rule to order 1

    Note : Here the groupsid is the required group which need to allow authentication through external network. Group SID need to be pullout from Active directory, for that the command is " Get-ADGroup -identity “GroupName” | select SID"

    • Marked as answer by Sreekumarpg Sunday, January 7, 2018 9:16 PM
    Wednesday, January 3, 2018 10:09 PM

All replies

  • Hello All,

    This can be achieved by creating 

    1. Claim rule for Proxy which Pass through all claim value

    2. Claim rules for Relying Part TrustRelationships

    Create a Claims Provider trust rule for Active Directory in ADFS Trust Relation Ship

    - Navigate to ADFS Management > TrustRelationships> Claims Provider trust 
    - Select Active Directory and right click for edit claim rules
    - Add Rules
    - Claim rule template = "Pass Through or Filter an Incoming Claim" and Next
    - Claim Rule name = xxxxxxxxxxx
    - Incoming claim type: Select "Proxy", Pass through all claim value and Finish


    Claim rules for Relying Part TrustRelationships

    - Navigate to ADFS Management > TrustRelationships> Relying Party TrustRelationships
    - Select the appropriate Relying Party Trust > right click and edit claim rules
    - Select Issuance Authorization Rules
    - Add Rules
    - Claim rule template = "Send Claims Using a Custom Rule" and Next
    - Claim Rule name = xxxxxxxxx
    - Paste the below custom rule for allowing authentication to ADFS through external (using WAP) only for particular group

    exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"]) &&
    NOT exists([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value =~ "S-1-5-21-3727275606-2887824355-1048903388-1120"])
    => issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "true");

    - Apply and OK

    -- Move the rule to order 1

    Note : Here the groupsid is the required group which need to allow authentication through external network. Group SID need to be pullout from Active directory, for that the command is " Get-ADGroup -identity “GroupName” | select SID"

    • Marked as answer by Sreekumarpg Sunday, January 7, 2018 9:16 PM
    Wednesday, January 3, 2018 10:09 PM
  • I followed this exactly but authentication for all domain accounts still works on the https://<site>/adfs/ls/IdpInitiatedSignon.aspx page. Does this need to be done somewhere else to affect that page? I'd like to restrict this down to just a small group of people whose passwords I know are good as we have many weak passwords in our domain and this page can be used to test password guesses.
    Tuesday, January 23, 2018 9:50 PM