This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(0, 92%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ET%3C/text%3E%3C/svg%3E)
Hi,
Thanks in advance for anyone who can assist on this issue.
Am running ADFS 2.0 on Win2008R2 SP1 and encountered some problems. The purpose is to get the users in the different groups inside the specific OU and rely it to a 3rd party app. So what I did was:
a. Added a rule under "Acceptance Transform Rules" in "Claims Provider Trusts". Using "distinguishedname" under LDAP Attribute and "ht tp://myserver/claims/DistinguishedName" as the outgoing claim type.
Should this rule be on the top or below of the rule order?
Is the use of distinguishedname correct here?
b. Then under the "Relying Party Trusts" ==> "Issurance Authorization Rules", I add this custom claim rule.
Is this custom rule claim correct? Cos I am getting the error "The status code of the Response was not Success, was Responder -> urn:oasis:names:tc:SAML:2.0:status:RequestDenied".
I am not versed with ADFS but i am pretty sure the custom rule claim is not getting the correct response. Can anyone help to advise on this?
Many thank in advance!
Tan
First of, it is time to upgrade :) The upgrade process is quite straight forward and documented here.
Then, I am not sure I fully understand the group/OU thing... So let's start easy and see where we get from there :)
If you want to allow only users from a specific OU to access a Relying Party, one way to do it is to create two Issuance Authorization Rules (use the Custom Claim rule in the wizard to set them, and make sure those are the only 2 rules).
Sorry I had to use screenshots, it wouldn't let me send the actual rules. Not sure why...
No worries Plaudonn and many thanks for your reply.
The group/OU thing is like this. In the AD, I had a OU whereby there are groups in there with different users from different departments. I am trying to restrict access based on the depts and the 3rd party tool needs ADFS. Hence I was thinking how I can use the claims and rely party to do a clean response of information so that the restriction can be based on the groups in the OU.
So we are looking for where in the domain OU structure are the group the user is a member of? I guess not, that would be very random and unpractical.
It is still not clear to me what you need. What are the conditions to allow or restrict? Can you give an example?
Hi Plaudonn,
Will you be able to share with me what do I need to add under the Acceptance Transform Rules? I am still sending Windows Account Name, Primary SID and Group SID over and the end result on the 3rd party tool is still seeing these 3 fields Now we will just need to send the OU and Username over so that the 3 party tool can recognize and capture this 2 fields.
Thanks thanks!
Tan
PS: Sorry I am not versed in ADFS language at all and is having a hard time understanding how to construct the correct claims over
Sorry, I still don't understand what you need to send if that's not what I posted 5 days ago. Can we set aside the technology and describe what you want to achieve in details?