Hello all,
I've been working with a customer to implement an ADFS rule set to limit external access to Office 365 to web applications only, so no Outlook or Lync client configuration is possible.
I've followed the article on TechNet: http://technet.microsoft.com/en-us/library/dn592182.aspx
More specifically I used scenario 3 as a starting point. The ruleset in this scenario holds an claim rule for the forwarded client IP. If I configure this for the clients external IP all users can access the web apps from inside the corporate network but not
from the outside.
The ruleset I've gotten to so far is:
c:[Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value == "true"] => issue(Type = "http://custom/allow", Value = "true");
c:[Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip", Value =~ "\b1\.2\.3\.4"] => issue(Type = "http://custom/allow", Value = "true");
c:[Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path", Value == "/adfs/ls"] => issue(Type = "http://custom/allowed", Value = "true");
c:[Type == "http://custom/allow", Value == "true"] => issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "true");
These rules will allow Internet Explorer to connect from behind the corporate network gateway (IP: 1.2.3.4) but not when using a different gateway. I've tried removing this rule but this won't allow any connection to the web apps except from inside the corporate network.
I want to enable all users to access the outlook client application from inside the corporate network and allow all the Office 365 web apps (Outlook, SharePoint, Lync etc.) from inside AND outside the corporate network (through ADFS).
Can someone help me with some pointers as to what claim rules I have to configure, or how to adjust the rules of the above mentioned TechNet article to achieve this goal?
Thanks in advance!