locked
ADFS 3.0 issuance authorization rules to allow only users who authenticated using a X.509 certificate with a specific "Certificate Policy" OID RRS feed

  • Question

  • Hi everybody, I am trying to create an Issuance Authorization Rule to allow access to a RP Application to only users who can authenticate using an X.509 Certificate with a specific Certificate Policy OID. I create the following Issuance Authorization Rule 

    c:[Type == "http://schemas.microsoft.com/2012/12/certificatecontext/extension/certificatepolicy", Value =~ "^(?i)http://schemas\.microsoft\.com/2012/12/certificatecontext/extension/certificatepolicy/1\.3\.6\.1\.4\.1\.55555\.2\.2\.2\.4$"]
     => issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "PermitUsersWithClaim");

    but the user is getting the following error:

    The Federation Service could not authorize token issuance for caller 'dominio\user
    '. The caller is not authorized to request a token for the relying party 'https://app.dominio.com/dash/'. See event 501 with the same Instance ID for caller identity. 

    Additional Data 
    Instance ID: 4b8f6488-11cd-4c51-92a2-2ec5453457ef 
    Relying party: https://app.dominio.com/dash/ 
    Exception details: 
    Microsoft.IdentityServer.Service.IssuancePipeline.CallerAuthorizationException: MSIS5007: The caller authorization failed for caller identity Mark for relying party trust https://app.dominio.com/dash/.
       at Microsoft.IdentityModel.Threading.AsyncResult.End(IAsyncResult result)
       at Microsoft.IdentityModel.Threading.TypedAsyncResult`1.End(IAsyncResult result)
       at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.Issue(RequestSecurityToken request, IList`1& identityClaimSet) 
    User Action 
    Use the AD FS Management snap-in to ensure that the caller is authorized to request a token for the relying party.

    Any idea? Thanks


    Thursday, August 25, 2016 8:55 PM

Answers

  • The problem was the CP Value was not entering in the Claims pipeline. So, I enable it in the claims provider trust, and it worked. 

    Thanks to all for your help. I need it to make decisions at the application level based on the Certificate Policy.


    Friday, August 26, 2016 3:29 PM

All replies

  • c:[Type == "http://schemas.microsoft.com/2012/12/certificatecontext/extension/certificatepolicy", Value =~ "^(?i)1\.3\.6\.1\.4\.1\.55555\.2\.2\.2\.4$"]
      => issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "PermitUsersWithClaim"); 
    Would that work?

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Thursday, August 25, 2016 9:21 PM
  • Thank You, no it doesn't.

    In the event viewer I don't see any claim related with the Certificate Policy. I see the Enhanced Key Usage, but not the CP. This is what I see in the event viewer:

    http://schemas.microsoft.com/2012/12/certificatecontext/extension/eku 
    1.3.6.1.4.1.311.20.2.2 
    http://schemas.microsoft.com/2012/12/certificatecontext/extension/eku 
    1.3.6.1.5.5.7.3.4 
    http://schemas.microsoft.com/2012/12/certificatecontext/extension/eku 
    1.3.6.1.5.5.7.3.2 
    http://schemas.microsoft.com/2012/12/certificatecontext/extension/eku 

    I try with EKU and it work fine. but not with the CP. 



    Thursday, August 25, 2016 9:30 PM
  • Works for me with the Application Policy, is that what you mean? http://schemas.microsoft.com/2012/12/certificatecontext/extension/applicationpolicy what does the cert look like? Can you c/p the actual extension

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Thursday, August 25, 2016 9:48 PM
  • This is the extension

    http://schemas.microsoft.com/2012/12/certificatecontext/extension/certificatepolicy

    Thursday, August 25, 2016 10:00 PM
  • I mean, you can see it in the cert itself? And in the pipeline?

    What about

    c:[Type == "http://schemas.microsoft.com/2012/12/certificatecontext/extension/certificatepolicy", Value == "1.3.6.1.4.1.55555.2.2.2.4"]
      => issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "PermitUsersWithClaim


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Thursday, August 25, 2016 10:12 PM
  • The problem was the CP Value was not entering in the Claims pipeline. So, I enable it in the claims provider trust, and it worked. 

    Thanks to all for your help. I need it to make decisions at the application level based on the Certificate Policy.


    Friday, August 26, 2016 3:29 PM
  • Thanks for your feedback Harvey.

    http://blog.auth360.net

    Monday, August 29, 2016 7:57 PM