问题
Consider the below Sample Scenario:
- I have a Single Active Directory Domain for Production, Test and for development (each separated at OU level).
- I want to install ADFS at test OU level and I do not want users authenticated at test OU ADFS to have access (both read and write) to other OU's.
Can this be possible ? Can we restrict ADFS 2.0 to work only under a particular OU ?
回答1:
Though restricting ADFS 2.0 to work under a specific OU is not feasible (from the resources I read and IMHO), we can restrict the user access within a specific OU.
This can be accomplished in two steps:
Add a claim rule to extract AD object DN.
• To extract this claim, from ADFS admin console, go to ADFS 2.0 - > Trust Relationship -> Claims provider Trusts -> Click on the Active Directory -> Edit claim rules.
• Under acceptance transformation rule, add a new rule
Claim rule name – DN (can be anything) LDAP Attribute – distinguishedname Outgoing claim type – http://temp.org/claims/DistinguishedName• This will extract the DN of each object in the AD
Add a new authorization rule (in relying party trust of the required application) to allow users from a particular OU to access the application.
• Go to ADFS admin console -> Trust Relationship ->Relying party trusts -> Select the application -> Edit claim rules
• Under Issuance authorization rules (second tab), remove the existing rule “ Allow all users” (if any) and add a new rule under - Send claims using a custom rule: Name: XXX (any value)
Custome rule: c:[Type == "http://temp.org/claims/DistinguishedName", Value =~"^.* (OU=EMPLOYEES,OU=Org-Users,DC=ADCORP,DC=LAB)$"] => issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "PermitUsersWithClaim");For example: Users in OU=Users,OU=EMPLOYEES,OU=Org-users,DC=ADCORP,DC=LAB would have access
Users in OU=Admins,OU=EMPLOYEES,OU=Org-Users,DC=ADCORP,DC=LAB would have access
Users in OU=Users,OU=CONTRACTORS,OU=Org-Users,DC=ADCORP,DC=LAB would NOT have access
For more details about adding DN, please refer to this link and for details about adding the custom rule, refer to the msdn post.
回答2:
Would it be possible to reverse the restrictions? So instead of allowing just 1 OU at a time could you allow everyone but one?
So the string could be
C:[Type == "http://temp.org/claims/DistinguishedName", Value =~"^.* (OU=EMPLOYEES,OU=Org-Users,DC=ADCORP,DC=LAB)$"] => issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "PermitUsersWithClaim");
This way everyone but the Employees OU would have access.
来源:https://stackoverflow.com/questions/15352332/restricting-adfs-2-0-to-use-a-specific-ou-instead-of-domain-level-access