使用正则表达式的不成功发行授权规则 [英] Unsuccessfull Issuance Authorization Rule with regex

问题描述

我正在尝试在ADFS 3.0中制定授权规则，使用依赖方"以特定的"OU"形式禁用某些用户，但没有成功.

I'm trying to make a Authorization Rule in ADFS 3.0, disabling some users in a specific "OU" form using a "relying party", with no success.

在发行转换规则"上，我已将声明配置为"http://schemas.microsoft.com/ws/2008/06/identity/claims/distinguishedname "以从AD获取专有名称.

On the Issuance Transform Rules, i've configured the claim "http://schemas.microsoft.com/ws/2008/06/identity/claims/distinguishedname" to get the Distinguished name from AD.

这里是一个示例:CN = John Doe，OU = XYZ，OU = ABC，DC = CONTOSO，DC = com

Here is an example: CN=John Doe,OU=XYZ,OU=ABC,DC=CONTOSO,DC=com

此规则应拒绝XPTO OU中用户的访问

This rule should deny access from users in the XPTO OU

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/distinguishedname", Value =~ "^[^,]*,OU=XPTO.*$"]
 => issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "true");

此规则应允许XPTO OU以外的所有用户访问

And this rule should permit access for all users outside the XPTO OU

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/distinguishedname", Value !~ "^[^,]*,OU=XPTO.*$"]
 => issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "true");

但是，相反，这些规则将访问权限授予某些用户，而拒绝其他用户，而是拒绝所有用户访问

But, instead these rules grant access to some users and deny others, they deny access to all users

您能阐明这个问题吗?

推荐答案

好，问题已解决.

这种方法的问题在于解释ADFS依赖方的发行规则"工作流的少数文档中.

The problem with this approach, was in the few documentation explaining the Issuance Rules workflow of ADFS Relying Party.

我要做的就是在发行授权规则"中添加第一个规则，以获取用户的DN.

All I had to do was adding a first rule in the Issuance Authorization Rules, getting the user's DN.

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
 => issue(store = "Active Directory", types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/distinguishedname"), query = ";DistinguishedName;{0}", param = c.Value);

此后，上述规则就像魅力一样发挥作用.

Afterwards, the rules described above, worked like a charm.

一些指向所有正在经历这些授权配置的指针:

A few pointers to all experiencing these Authorization configs:

• 如果发出许可要求，则始终允许该用户
• 如果未发布许可或拒绝索赔，则用户将被拒绝
• 当仅一个组织单位被拒绝访问时，此方法有效.对于其他复杂的验证，应使用自定义属性存储

这篇关于使用正则表达式的不成功发行授权规则的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！