0

We have two-way trust in our Active Directory environment to facilitate the migration of users from "Domain X" to "Domain A".

We have multiple application pointing to ADFS Farm which is using identities in "Domain A".

During this cohabitation period, users are trying to authenticate to our ADFS server with their "Domain X" identity. Which is doesn't work on the application side. (application know only xxx@domainA). SamAccountName are completely different between Domain A and Domain X. I tried to deny authenfication through "Issuance Authorization Rules" in the Relaying Party trusts but the users stay authenticated to our ADFS and the application are only showing a SAML error message.

To avoid confusion, I want to explicitely deny authentication on ADFS for the other domain than Domain A. Is it possible?

For the record, here is the Deny Rule tried: exists([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value == "SID OF DOMAINX\Domain Users"]) => issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "true");

Thanks

Brice
  • 210
  • 2
  • 11
  • Can you post your issuance auth rule? That really should have stopped them from getting a token. – Jim B Apr 26 '17 at 13:11
  • I added the rule. For me the problem is that i can logon to "https://sts.DOMAINA.com/adfs/ls/IdpInitiatedSignon.aspx" with all identities. – Brice Apr 26 '17 at 13:22
  • All users can logon to the IdpInitiatedSignon page doesn't mean they can logon to the applications in Domain A. The IdpInitiatedSignon page is just used to verify if the ADFS component is operational or not. You can custom the error messages for ADFS sign-in page using powershell cmdlets like [this guide](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/custom-error-messages-for-ad-fs-sign-in-page) has described. – Jimmy Sun May 05 '17 at 10:08
  • I will have a look ASAP to the powershell customisation. I'm afraid it is only available for ADFS 3.0+. I am in ADFS 2.0 without possibility to update it. – Brice May 05 '17 at 12:51

0 Answers0