locked
Create a claim authorization rule to deny based on UPN for specific domain RRS feed

  • Question

  • I am running ADFS 2.0

    I have several domains that access ADFS relying parties. Example: I need a way to deny access to some relying parties if users from the contoso.com domain try to login. All users from fabrikam.com should be granted access to login. Currently both domains can login.

    This is the custom rule i created. However it doesn't actually block contoso.com users.

    c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn", Value =~ "^(?i).+@contoso\.com$"]
     => issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "true");
    
    I have tested the regex i think it is correct. Does anyone have a working claims rule that will deny users from a domain?

    Monday, August 1, 2016 9:16 PM

Answers

  • I found a solution/workaround. My original intent was to deny access to the ADFS application if a user has a contoso.com AD account. Users from fabrikam.com should be allowed access. A 2-way domain trust exists between domains.

    In the past i have successfully blocked access to an ADFS application using the SID of an AD group. i realized that the SID for the "Domain Users" group at contoso.com will not match the SID of the "Domain Users" group at fabrikam.com.

    I am assuming of course that all contoso.com users are members of the "Domain Users" group.

    Here is the Issuance Authorization Rule that blocks by group SID:

    exists([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value == "SID-OF-CONTOSO.COM-Domain_Users_Group"])
     => issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "true");

    • Marked as answer by Ryaed Friday, September 16, 2016 2:46 PM
    Friday, September 16, 2016 2:45 PM

All replies

  • You could try something like this:

    c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn", Value =~ getemailsuffixregex("contoso.com")]
     => issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "DenyUsersWithClaim");

    Make sure you add this rule in the Issuance Authorization Rules tab of your relying party trust.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Thursday, August 4, 2016 12:49 PM
  • Well, getemailsuffixregex might be available only in ADFS on Windows Server 2012 R2. But anyhow, why still using ADFS 2 :) Your original rule might do the trick, as long as: 1. the user has a UPN 2. You add it in the Issuance Authorization Rules of your relying party trust. 1 should be right unless you have some sort of transform rules that changed it before.

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Thursday, August 4, 2016 12:54 PM
  • I tried getemailsuffixregex as you suggested but it didn't work. I am not sure if this is unsupported in ADFS 2 and i am not in a position to upgrade at the moment. unfortunately.

    To continue troubleshooting I built a claims aware test website using this blog:  https://blogs.msdn.microsoft.com/alextch/2011/06/27/building-a-test-claims-aware-asp-net-application-and-integrating-it-with-adfs-2-0-security-token-service-sts/

    This test site displays the exact Claim Type and Claim Value of a successful login. (see the end of the blog for a screenshot of the website). I built a new rule using exactly what was displayed on the test Claims website. Instead of using a RegEx for the claim value i created a rule that would block a specified user's UPN. it still didn't work. it seems that any rule i create using UPN is ignored.

    Example of the rule that did NOT work:

    c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn", Value == "user@contoso.com"]
     => issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "true");
    

    Friday, September 16, 2016 2:31 PM
  • I found a solution/workaround. My original intent was to deny access to the ADFS application if a user has a contoso.com AD account. Users from fabrikam.com should be allowed access. A 2-way domain trust exists between domains.

    In the past i have successfully blocked access to an ADFS application using the SID of an AD group. i realized that the SID for the "Domain Users" group at contoso.com will not match the SID of the "Domain Users" group at fabrikam.com.

    I am assuming of course that all contoso.com users are members of the "Domain Users" group.

    Here is the Issuance Authorization Rule that blocks by group SID:

    exists([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value == "SID-OF-CONTOSO.COM-Domain_Users_Group"])
     => issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "true");

    • Marked as answer by Ryaed Friday, September 16, 2016 2:46 PM
    Friday, September 16, 2016 2:45 PM