Reputation: 166
ADFS 2.0 - How to block access to my RP for a specific issuer
I currently have two relying parties (RP) configured on my adfs 2.0 server. I also have two claims provider trusts. I simply want to restrict access to the first RP if the user belongs to claims provider 1.
Is there a claim rule I can put that would let me inspect the user's issuer and then grant access or not?
I'm also wondering if this behavior is even acceptable in a SSO infrastructure. Should I deploy two instances of ADFS 2.0 in order to support this (one trusts claims provider 1 while the other doesn't).
Thanks for any ideas or design inputs.
Upvotes: 1
Views: 1025
Answers (1)
Reputation: 1127
I don't know if this is a good idea, but this should work:
Add a custom rule to the claims provider you want to deny with content like this:
=> issue(Type = "http://schemas.YOURDOMAINHERE/claims/AccessRP_X", Value = "Deny");
- Then on the RP, edit claim rules, choose Issuance authorization rules, Add Rule.
- In the dialog, use template "Permit or Deny Users based on an Incoming Claim".
- For incoming claim type, use the same type as in the custom rule.
- In incoming claim value, write Deny
- And Choose the radio button "Deny access to users with this incoming claim".
- Press finish
Hope this works for you.
Upvotes: 1
Related Questions
- Prevent SSO with Playwright
- ADFS 4 -'X-Frame-Options' to 'deny'
- Conditional authentication with ADFS
- ADFS authorisation but only local sign on
- Bypass ADFS Sign in/Home Realm Discovery page
- ADFS 2.0 Single Sign Out Not Signing Out
- ADFS Skip Home Realm Discovery using integrated auth
- ADFS 2.0 Overcome Splash page
- Restricting ADFS 2.0 to use a specific OU instead of Domain level access
- Single Sign Out with ADFS and STS