Reputation: 3377
Enabling access policy in ADFS 4.0 for OpenID Connect clients
AD FS supports OpenID Connect protocol for authenticating users. AD FS supports access policies for WebAPI applications, but not for server applications, at least not that I could find.
Is it possible to define access policy for a server application? The business scenario is really simple: only allow users from a defined group to authenticate given a specific client id.
If an enterprise deploys AD FS with AD DS and deploys several applications (each one registered separately, thus getting a unique client id and client secret), this could be used to allow/disallow users from authenticating to the ADFS for a given (registered) client (relying party).
Upvotes: 1
Views: 1217
Answers (1)
Reputation: 3377
It appears that this is possible by defining two applications in the same application group:
- The server application, which has a
client secretin addition toclient id - The WebAPI application, for which you can define an access policy.
In order to make this work, you need to assign the relying party identifier (the client id of the server application) to the WebAPI identifiers and ensure that the "Client permissions" of the WebAPI application contain the server application.
If the access policy is not evaluated successfully, the relying party (the application requesting authentication) will receive an access_denied message.
Application group:
Server application:
WebAPI application:
Upvotes: 2
Related Questions
- ADFS 2016 support for OIDC's `profile` scope?
- User groups as claims through OpenID Connect over ADFS
- ADFS 4 -'X-Frame-Options' to 'deny'
- Access token and user ID
- ADFS 4.0 (2016) OpenID Connect userinfo endpoint returns 401 when provided with access token
- OpenID Connect over ADFS
- How to get standards claims of the openid scope "profile" from the ADFS server?
- Using OpenID Connect with WSO2 API Manager and ADFS
- Using the client_credentials flow with ADFS 4.0 returns 401
- Does on-premise ADFS support OpenID Connect?