We have two-way trust in our Active Directory environment to facilitate the migration of users from "Domain X" to "Domain A".
We have multiple application pointing to ADFS Farm which is using identities in "Domain A".
During this cohabitation period, users are trying to authenticate to our ADFS server with their "Domain X" identity. Which is doesn't work on the application side. (application know only xxx@domainA). SamAccountName are completely different between Domain A and Domain X. I tried to deny authenfication through "Issuance Authorization Rules" in the Relaying Party trusts but the users stay authenticated to our ADFS and the application are only showing a SAML error message.
To avoid confusion, I want to explicitely deny authentication on ADFS for the other domain than Domain A. Is it possible?
For the record, here is the Deny Rule tried: exists([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value == "SID OF DOMAINX\Domain Users"]) => issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "true");
Thanks