限制ADFS 2.0使用特定OU,而不是域级别的访问权限 [英] Restricting ADFS 2.0 to use a specific OU instead of Domain level access
问题描述
考虑下面的示例方案:
- 我有一个Active Directory域用于生产,测试和促进发展(在OU级别每个分隔)。
- 我想在测试OU层次上安装ADFS,我不希望用户在测试OU认证ADFS能够访问(读取和写入)到其他OU的。
可这是可能的吗?我们可以限制ADFS 2.0仅在一个特定的OU工作?
Can this be possible ? Can we restrict ADFS 2.0 to work only under a particular OU ?
推荐答案
虽然限制ADFS 2.0根据特定OU工作是不可行的(从我读的资源和恕我直言),我们可以限制特定OU内的用户访问。
Though restricting ADFS 2.0 to work under a specific OU is not feasible (from the resources I read and IMHO), we can restrict the user access within a specific OU.
这可以分两步完成:
-
添加声明规则提取AD对象DN。
Add a claim rule to extract AD object DN.
•要提取这种说法,从ADFS管理控制台中,转到ADFS 2.0 - >
信任关系 - >索赔提供商的信任 - >单击活动
目录 - >编辑声明规则
• To extract this claim, from ADFS admin console, go to ADFS 2.0 - > Trust Relationship -> Claims provider Trusts -> Click on the Active Directory -> Edit claim rules.
•在接受改造
规则,添加新的规则
• Under acceptance transformation rule, add a new rule
Claim rule name – DN (can be anything)
LDAP Attribute – distinguishedname
Outgoing claim type – http://temp.org/claims/DistinguishedName
•这将提取每个对象的DN在AD
• This will extract the DN of each object in the AD
添加了新的授权规则(在依托所需应用程序的方信任),以允许从特定OU用户访问应用程序。
Add a new authorization rule (in relying party trust of the required application) to allow users from a particular OU to access the application.
•转到ADFS管理控制台 - >信任关系 - >依托方信任 - >选择应用程序 - >编辑声明规则
• Go to ADFS admin console -> Trust Relationship ->Relying party trusts -> Select the application -> Edit claim rules
•在颁发授权规则(第二个选项卡),删除现有的规则允许所有用户(如果有的话),并添加新的规则下 - 发送使用自定义的规则要求:
名称:XXX(任意值)
• Under Issuance authorization rules (second tab), remove the existing rule " Allow all users" (if any) and add a new rule under - Send claims using a custom rule: Name: XXX (any value)
Custome rule:
c:[Type == "http://temp.org/claims/DistinguishedName", Value =~"^.* (OU=EMPLOYEES,OU=Org-Users,DC=ADCORP,DC=LAB)$"] => issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "PermitUsersWithClaim");
例如:
在OU用户=用户,OU =雇员,OU =组织用户,DC = ADCORP,DC = LAB将有机会获得
For example: Users in OU=Users,OU=EMPLOYEES,OU=Org-users,DC=ADCORP,DC=LAB would have access
在OU =管理员用户,OU =雇员,OU =组织用户,DC = ADCORP,DC = LAB将有机会获得
Users in OU=Admins,OU=EMPLOYEES,OU=Org-Users,DC=ADCORP,DC=LAB would have access
在OU用户=用户,OU =承包商,OU =组织用户,DC = ADCORP,DC = LAB不会有机会获得
Users in OU=Users,OU=CONTRACTORS,OU=Org-Users,DC=ADCORP,DC=LAB would NOT have access
有关将DN的更多详细信息,请参阅本链接和有关添加自定义规则的详细信息,请参阅<一个href=\"http://social.technet.microsoft.com/Forums/hu/winserverDS/thread/762a4ab1-1649-442c-91a4-654ee7b3664f\"相对=nofollow> MSDN文章。
For more details about adding DN, please refer to this link and for details about adding the custom rule, refer to the msdn post.
这篇关于限制ADFS 2.0使用特定OU,而不是域级别的访问权限的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!