Step 11: Configure AD FS 2.0 on ContosoSrv01 to deny tokens to users

Applies To: Active Directory Federation Services (AD FS) 2.0

Step 11: Configure an AD FS 2.0 on ContosoSrv01 to deny tokens to users

In this step, we will configure AD FS 2.0 on contososrv01 so that it does not issue tokens for SharePoint server to users who do not belong to either the Domain Admins, sp_visitor, or sp_admin groups.

To configure AD FS 2.0 to authorize users only in certain roles

  1. Log on (if you are not still logged on) to the CONTOSOSRV01 computer as CONTOSO\Administrator with "demo!23" as the user password.

  2. Open the AD FS 2.0 Server Management Console (if it is not still open).

  3. On the Start menu, click All Programs, point to Administrative Tools, and then click AD FS 2.0 Management.

  4. In the console tree, double-click Trust Relationships, and then click Claim Provider Trusts.

  5. In the Claims Provider Trusts column, click Active Directory, and then click Edit Claim Rules in the right-hand column.

  6. In the Rule Editor, click Add Rule and in the wizard, click Next.

  7. For the Claim rule name, type Email and Role claim lookup, for Attribute store, select Active Directory. In the LDAP Attribute column, select E-Mail-Addresses for the outgoing E-mail Address claim, and Token-Groups – Unqualified Names for the Role claim, and then click Finish. Click OK to exit the Rules Editor.

  8. In the console tree, double-click Trust Relationships, and then click Relying Party Trusts. In the Replying Party Trusts list, click SharePoint Docs Site on Contoso, and then in the Actions pane, click Edit Claim Rules.

  9. In the Rules Editor, select the top-most rule in the list, and then click Remove Rule. Click Yes in the dialog box that appears.

  10. Click the Issuance Authorization Rules tab, select the only single item in the list, and then delete it by clicking Remove Rule.

  11. Now we are going to add three rules to query the role information from the SQL database, based on the e-mail address. The rules are custom rules, and they are the same rules that we added in the previous section. For the first rule, click Add Rule. In the wizard that appears, select Send Claims Using a Custom Rule, and then click Next. In the first rule, we see which trial the https://docs.contoso.com/ site belongs to. The custom rule is presented here. For the Claim rule name, type Trial Lookup, and for Custom rule, type the following, and then click Finish. (For convenience, this role is saved in a file called Custom Rule1 on the desktop. You can copy and paste it from there.)

    => add(store = "HOL Doctors Role", types = ("https://schemas.microsoft.com/ws/2008/06/identity/claims/trial"), query = "select trial from dbo.TS where dbo.TS.SharePointSite = {0}", param = "https://docs.contoso.com/");
    
  12. Add a second custom rule. In this rule, we use the previously queried trial information with the user’s e-mail address and discover which role the user belongs to. To add another custom rule, click Add Rule, select Send Claims Using a Custom Rule, and then click Next. For Claim rule name, type User Role, and for Custom rule, type the following, and then click Finish. (For convenience, this role is saved in a file called Custom Rule2 on the desktop. You can copy and paste it from there.)

    c1:[Type == "https://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
     && c2:[Type == "https://schemas.microsoft.com/ws/2008/06/identity/claims/trial"]
     => add(store = "HOL Doctors Role", types = ("https://schemas.microsoft.com/ws/2008/06/identity/claims/incomingtrialrole"), query = "select role from dbo.URT where dbo.URT.Trial = {1} and dbo.URT.UserName={0}", param = c1.Value, param = c2.Value);
    
  13. Now we create a third custom rule. In the third rule, we use a previously queried role claim to query the SharePoint role claim and assign the value to the outgoing role claim. To add another custom rule, click Add Rule, select Send Claims Using a Custom Rule, and then click Next. For Claim rule name, type SharePoint Role, and for Custom rule, type the following, and then click Finish. (For convenience, this role is saved in a file called Custom Rule3 on the desktop. You can copy and paste it from there.)

    c:[Type == "https://schemas.microsoft.com/ws/2008/06/identity/claims/incomingtrialrole"]
     => issue(store = "HOL Doctors Role", types = ("https://schemas.microsoft.com/ws/2008/06/identity/claims/role"), query = "select dbo.RS.SharePointGroup from dbo.RS where dbo.RS.Role = {0}", param = c.Value);
    
  14. Now that we have gathered all the role information, we will place three new rules. In each rule, we will check to see if the role value is one of domain_admins, sp_visitor or sp_admin. For the first rule, click Add Rule. In the wizard page that appears, keep the default option, Permit or Deny Users Based on an Incoming Claim, and then click Next. On the next page, for Claim rule name, type Permit Domain Admins, for Incoming claim type, select Role in the drop-down menu, and for Incoming claim value, type Domain Admins, and then click Finish.

  15. For the other two rules, repeat the instructions in step 14 with Claim rule name as Permit sp_visitor and Permit sp_admin and an Incoming claim value of sp_visitor and sp_admin.

To try out this scenario, log on to ContosoSrv01 and navigate to https://docs.contoso.com. Sign in as either contoso\administrator or contoso\danielw at the Contoso sign-in page. You will have access to the SharePoint site. This is because contoso\administrator belongs to Domain Admins group in AD DS and danielw maps to sp_admin group, based on the information in the SQL database.

Try accessing the https://docs.contoso.com from the FabrikamSrv01 computer as fabrikam\frankm. You will see that Frankm has access to the SharePoint site because frankm’s e-mail address maps to the sp_visitor role in the SQL database. Now try accessing the https://docs.contoso.com site as fabrikam\alices. You will see access denied for Alice at the Contoso AD FS Web site because Alice’s account does not map to any role values for which we just added rules.

Congratulations! This concludes our walkthrough of federated document collaboration using Microsoft Office SharePoint Server 2007 with AD FS 2.0.