I'm trying to make a Authorization Rule in ADFS 3.0, disabling some users in a specific "OU" form using a "relying party", with no success.
On the Issuance Transform Rules, i've configured the claim "http://schemas.microsoft.com/ws/2008/06/identity/claims/distinguishedname" to get the Distinguished name from AD.
Here is an example: CN=John Doe,OU=XYZ,OU=ABC,DC=CONTOSO,DC=com
This rule should deny access from users in the XPTO OU
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/distinguishedname", Value =~ "^[^,]*,OU=XPTO.*$"]
=> issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "true");
And this rule should permit access for all users outside the XPTO OU
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/distinguishedname", Value !~ "^[^,]*,OU=XPTO.*$"]
=> issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "true");
But, instead these rules grant access to some users and deny others, they deny access to all users
Can you shed some light on this issue?
Well, the issue has been resolved.
The problem with this approach, was in the few documentation explaining the Issuance Rules workflow of ADFS Relying Party.
All I had to do was adding a first rule in the Issuance Authorization Rules, getting the user's DN.
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/distinguishedname"), query = ";DistinguishedName;{0}", param = c.Value);
Afterwards, the rules described above, worked like a charm.
A few pointers to all experiencing these Authorization configs: