Sorry if this is the wrong forum, but I couldn't find an ADFS one.
I'm trying to create a rule in adfs that denies access based on a global security group in AD, IF they are connecting from outside the network. This rule is going to be used on multiple applications.
I have tried different versions of the following:
exists ([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"])&& exists ([Type == "http://schemas.xmlsoap.org/claims/Group", Value =="external blacklist"]) => issue(Type = "http://schemas.microsoft.com/authorization/claims/deny" Value = "DenyUsersWithClaim");
There is also a permit all rule.
However, I can't get ADFS to recognize groups. I tested the permit and deny commands using the previous rule, so permit or deny if they are coming through the proxy, so I know both the proxy rule, and the deny issue are working correctly.
I tried using role instead of group, I tried using the regex characters in the group name, as well as removing all the other rules to see if the default permit all was overriding it.
I think my solution is here: https://social.msdn.microsoft.com/Forums/en-US/4eee9762-d0d2-4c13-81d9-5250203693ba/adfs-custom-issuance-authorization-rule-based-on-group-membership?forum=Geneva
Should I do the group by SID?