This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(316.8, 9%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERB%3C/text%3E%3C/svg%3E)
Hi All,
We are using the ADFS 3.0. please help me.
As the title states, is it possible to lock down a relying party based on an attribute value a user has in AD?
For example, Our object is to Deny if the user's Title attribute value contains the word as "Contractor".
I have created below two rules in the Issuance Authorization Rule, but its not working.
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> add(store = "Active Directory", types = ("urn:oid:2.5.4.12"), query = ";title;{0}", param = c.Value);
EXISTS([Type == "http://contoso.com/title", Value == "Contractor"])
=> issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "PermitUsersWithClaim");
You can make it work with the following three rules in the Issuance Authorization Rules:
Rule one allowing everyone:
=> issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "true");
All rules are processed so it's not an issue to have this one. Then extract the title attribute:
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> add(store = "Active Directory", types = ("temp:/title"), query = ";title;{0}", param = c.Value);
Then you deny the contractors:
c:[Type == "temp:/title", Value == "Contractor"]
=> issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "DenyUsersWithClaim");