I currently have two relying parties (RP) configured on my adfs 2.0 server. I also have two claims provider tr开发者_运维百科usts. I simply want to restrict access to the first RP if the user belongs to claims provider 1.
Is there a claim rule I can put that would let me inspect the user's issuer and then grant access or not?
I'm also wondering if this behavior is even acceptable in a SSO infrastructure. Should I deploy two instances of ADFS 2.0 in order to support this (one trusts claims provider 1 while the other doesn't).
Thanks for any ideas or design inputs.
I don't know if this is a good idea, but this should work:
Add a custom rule to the claims provider you want to deny with content like this:
=> issue(Type = "http://schemas.YOURDOMAINHERE/claims/AccessRP_X", Value = "Deny");
- Then on the RP, edit claim rules, choose Issuance authorization rules, Add Rule.
- In the dialog, use template "Permit or Deny Users based on an Incoming Claim".
- For incoming claim type, use the same type as in the custom rule.
- In incoming claim value, write Deny
- And Choose the radio button "Deny access to users with this incoming claim".
- Press finish
Hope this works for you.
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论