O365結合ADFS限制用戶登錄地址 (四) - 配置Claim Rules
想要實現我們之前說的場景,在ADFS裏主要是通過claim rules,他可以支持各種各樣的場景,微軟也有比較詳細的文檔和demo來告訴你這個東西怎麽用,在使用的時候我們可以先查看一下官方文檔,來看是不是可以支持我們的想法,之後再把對應的rules結合自己的需要進行修改即可
想要了解可以支持的rules,還有場景,可以參考微軟的官方文檔
Limiting Access to Office 365 Services Based on the Location of the Client
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/hh526961(v=ws.10)#build
Client Access Policy Scenarios
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/hh526961(v=ws.10)#client-access-policy-scenarios
這是ADFS 2.0的文檔,不過在2012 R2裏試了下應該也還能用。下邊來看具體如何操作
限制用戶登錄的位置,其實說白了可以理解就是限制登陸IP,ADFS可以支持很多種場景,我們需要的其實就在這裏邊
| Scenario | Description |
| Block all external access to Office 365 | Office 365 access is allowed from all clients on the internal corporate network, but requests from external clients are denied based on the IP address of the external client. |
| Block all external access to Office 365, except Exchange ActiveSync | Office 365 access is allowed from all clients on the internal corporate network, as well as from any external client devices, such as smart phones, that make use of Exchange ActiveSync. All other external clients, such as those using Outlook, are blocked. |
| Block all external access to Office 365, except for browser-based applications such as Outlook Web Access or SharePoint Online | Blocks external access to Office 365, except for passive (browser-based) applications such as Outlook Web Access or SharePoint Online. |
| Block all external access to Office 365 for members of designated Active Directory groups | This scenario is used for testing and validating client access policy deployment. It blocks external access to Office 365 only for members of one or more Active Directory group. It can also be used to provide external access only to members of a group. |
接下來我們就來看下具體如何配置
1.首先打開ADFS管理器,找到Trust Relationships->Claims Provider Trusts,右邊點擊編輯 claim rules
2.選擇Add Rules
3.選擇 Pass Through Or Filter an Incoming Claim
4.type位置輸入http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip
5.之後依次添加其他Rules
http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application
http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent
http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy
http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path
6.找到Trust Relationships->Relying Party Trusts,右鍵點擊編輯 claim rules
7.在Issuance Authorization Rules選項卡點擊添加rules
8.選擇send Claims Using a Custom Rule
9.這裏就是重點了,在這裏要輸入你的deny 的rules,我們就是靠這個去限制用戶登錄的行為的
這裏需要註意的有兩點,一個是Value =~ "S-1-5-21-2595707816-3332463818-32960013-1109",這個其實是組的SID,把需要限制的用戶加到這個組裏,然後再把這個組的SID加入到這裏,還有一個是Value=~"customer-provided public ip address regex,這裏需要輸入的是IP地址或者一個表達式,這個IP相當於一個白名單,也就是說用戶只有從這個IP訪問才可以被允許,否則都將被拒絕(只是對外部用戶來說)
exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"]) &&
exists([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value =~ "S-1-5-21-2595707816-3332463818-32960013-1109"]) &&
NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip",
Value=~"customer-provided public ip address regex"])
=> issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "true");
設置好了後,將這條rules的優先級提高,通過這個rules,我們就可以實現最終的效果了
可以看下,正常用戶的登錄效果是這樣的
但是如果登錄的用戶是從外網登錄的,那麽就會收到下邊的提示
至此,我們的工作基本上已經實現了,claim rules還可以限制特定的產品,總體來說通過ADFS+O365可以實現的訪問控制要比單純的O365強大許多
O365結合ADFS限制用戶登錄地址 (四) - 配置Claim Rules