Remove From My Forums

ADFS 3.0 issuance authorization rules to allow only users who authenticated using a X.509 certificate with a specific "Certificate Policy" OID

Question
0

Sign in to vote
Hi everybody, I am trying to create an Issuance Authorization Rule to allow access to a RP Application to only users who can authenticate using an X.509 Certificate with a specific Certificate Policy OID. I create the following Issuance Authorization Rule

c:[Type == "http://schemas.microsoft.com/2012/12/certificatecontext/extension/certificatepolicy", Value =~ "^(?i)http://schemas\.microsoft\.com/2012/12/certificatecontext/extension/certificatepolicy/1\.3\.6\.1\.4\.1\.55555\.2\.2\.2\.4$"]
=> issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "PermitUsersWithClaim");

but the user is getting the following error:

The Federation Service could not authorize token issuance for caller 'dominio\user
'. The caller is not authorized to request a token for the relying party 'https://app.dominio.com/dash/'. See event 501 with the same Instance ID for caller identity.

Additional Data
Instance ID: 4b8f6488-11cd-4c51-92a2-2ec5453457ef
Relying party: https://app.dominio.com/dash/
Exception details:
Microsoft.IdentityServer.Service.IssuancePipeline.CallerAuthorizationException: MSIS5007: The caller authorization failed for caller identity Mark for relying party trust https://app.dominio.com/dash/.
at Microsoft.IdentityModel.Threading.AsyncResult.End(IAsyncResult result)
at Microsoft.IdentityModel.Threading.TypedAsyncResult`1.End(IAsyncResult result)
at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.Issue(RequestSecurityToken request, IList`1& identityClaimSet)
User Action
Use the AD FS Management snap-in to ensure that the caller is authorized to request a token for the relying party.

Any idea? Thanks
- Edited by Harvey Villalobos Thursday, August 25, 2016 8:55 PM
Thursday, August 25, 2016 8:55 PM

Answers

1

Sign in to vote
The problem was the CP Value was not entering in the Claims pipeline. So, I enable it in the claims provider trust, and it worked.

Thanks to all for your help. I need it to make decisions at the application level based on the Certificate Policy.
- Marked as answer by Harvey Villalobos Friday, August 26, 2016 3:30 PM
- Edited by Harvey Villalobos Friday, August 26, 2016 3:38 PM
Friday, August 26, 2016 3:29 PM

All replies

0

Sign in to vote
c:[Type == "http://schemas.microsoft.com/2012/12/certificatecontext/extension/certificatepolicy", Value =~ "^(?i)1\.3\.6\.1\.4\.1\.55555\.2\.2\.2\.4$"] => issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "PermitUsersWithClaim");
Would that work?
Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.
Thursday, August 25, 2016 9:21 PM
0

Sign in to vote
Thank You, no it doesn't.

In the event viewer I don't see any claim related with the Certificate Policy. I see the Enhanced Key Usage, but not the CP. This is what I see in the event viewer:

http://schemas.microsoft.com/2012/12/certificatecontext/extension/eku
1.3.6.1.4.1.311.20.2.2
http://schemas.microsoft.com/2012/12/certificatecontext/extension/eku
1.3.6.1.5.5.7.3.4
http://schemas.microsoft.com/2012/12/certificatecontext/extension/eku
1.3.6.1.5.5.7.3.2
http://schemas.microsoft.com/2012/12/certificatecontext/extension/eku

I try with EKU and it work fine. but not with the CP.
- Edited by Harvey Villalobos Thursday, August 25, 2016 9:31 PM
Thursday, August 25, 2016 9:30 PM
0

Sign in to vote

Works for me with the Application Policy, is that what you mean? http://schemas.microsoft.com/2012/12/certificatecontext/extension/applicationpolicy what does the cert look like? Can you c/p the actual extension
Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

Thursday, August 25, 2016 9:48 PM
0

Sign in to vote

This is the extension

http://schemas.microsoft.com/2012/12/certificatecontext/extension/certificatepolicy

Thursday, August 25, 2016 10:00 PM
0

Sign in to vote
I mean, you can see it in the cert itself? And in the pipeline?

What about

c:[Type == "http://schemas.microsoft.com/2012/12/certificatecontext/extension/certificatepolicy", Value == "1.3.6.1.4.1.55555.2.2.2.4"] => issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "PermitUsersWithClaim

Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.
- Marked as answer by Harvey Villalobos Friday, August 26, 2016 3:24 PM
- Unmarked as answer by Harvey Villalobos Friday, August 26, 2016 3:24 PM
Thursday, August 25, 2016 10:12 PM
1

Sign in to vote
The problem was the CP Value was not entering in the Claims pipeline. So, I enable it in the claims provider trust, and it worked.

Thanks to all for your help. I need it to make decisions at the application level based on the Certificate Policy.
- Marked as answer by Harvey Villalobos Friday, August 26, 2016 3:30 PM
- Edited by Harvey Villalobos Friday, August 26, 2016 3:38 PM
Friday, August 26, 2016 3:29 PM
0

Sign in to vote

Thanks for your feedback Harvey.
http://blog.auth360.net

Monday, August 29, 2016 7:57 PM

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Answered by:

ADFS 3.0 issuance authorization rules to allow only users who authenticated using a X.509 certificate with a specific "Certificate Policy" OID

Question

Answers

All replies