After completing this how-to you will able to scope users in ADFS who shall be evaluated for access control polices.
The principal is that we solving this by adding a “short-circuit” Cloud Access Policy in first place which does evaluate custom ADFS Attributes that is beeing sent for specific users which are in a special AD member-group.
Please refer to this article how to setup SSO with ADFS and Access Control.
But do not change the Endpoint URL in ADFS yet (pointing to RP), as if no Special Group is defined all users will be routed trough CAP.
Once done with above steps, configure an additional SAML Assertion String in ADFS:
- Go into ADFS Management console, navigate to Service then select "Claim Descriptions":
- Right Mouse Click to add a new Claim Description:
- Fill out properties as shown in the screen shot below:
Note: You can use any attribute name you like as long as i t does match in the CAP shortcut policy we define later.
Also please note that the value of the "Short Name"will be later used for evaluation in CAS polices.
- In Relying Party Trusts Section select your O365 entry and right mouse click to "Edit Claim Issuance Policy..."
- Click "Add Rule":
- Select "Sent Group Membership as a Claim":
- Define a "Claim rule name", select an AD User-Group that should applicable for this claim, choose dropdown "Outgoing claim type" , select the claim we defined earlier above and set "Outgoing claim value " to "TRUE".
Click on "OK" to confirm and save settings.
Cloud Access Control Setup (MVISION Cloud Dashboard)
On top of your existing Access Control polices add another policy that we will use as a shortcut to only allow users to evaluate the existing polices, if they have an special Claim (based on AD Group we selected above).
- Create an additional CAP rule and select the following criteria:
Note: The operator "is not" in "SAML Expression" is intended, as we will redirect all users to O365 who does not have the special claim from ADFS.
Once click on "Save" this will conclude the CAP setup.
Example: This is how a SAML Trace (snippet) will look like, if the user is in the particular AD group when the attribute is being sent:
<saml:Attribute AttributeName="SHNAccess" AttributeNamespace="http://schemas.xmlsoap.org/claims">
Once done with the setup you can configure the Endpoint in ADFS pointing to our reverse proxy.