AD FS 3.0 Office Block RRS feed

  • Question

  • Hi, 

    I am looking to block external access to a certain security group unless they are on the office network. Please see below the custom rule used. Currently this isn't working and everyone can login from anywhere.

    exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"])
     && exists([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value =~ "S-1-5-21-3730080989-172211334-3693418180-2186"])
     && NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip", Value =~ "\b1\.2\.3\.4\b"])

     => issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "true");

    Removed external IP from this post. Can someone help and explain why this isn't working?


    Wednesday, September 13, 2017 10:26 PM

All replies

  • Hi,

    Perhaps a silly question, but you did specify this as an 'Issuance Authorization Rule', and not a transform rule?

    I can't really reproduce this in my lab, because the x-ms-forwarded-client-ip in our case is always the loadbalancer IP, but if I use a bogus IP instead of the loadbalancer IP in the last condition I'm denied access to the relying party as expected.

    Kind regards,

    Enrico Klein

    Monday, September 18, 2017 1:27 PM
  • Hi,

    Scenario 4 in this article should help.

    You should have at least 4 Issuance Authorization Rules in this case.

    Thursday, September 21, 2017 3:08 AM