In ADFS, Is it possible to restrict set of OU’s user ids should not allow to authenticate?
E.g.: If we have 2 OU’s (let say OU1 & OU2) in the Active directory, if a user from OU1 tries to login from the ADFS login screen we should allow him to authenticate against AD, but if users from OU2 tries to login from the ADFS login screen we should not allow to authenticate and display an error message “Invalid User Id or Password”.
Thanks,
To do this before the Issuance rules You'll probably have to modify the IdpInitiatedSignOn.aspx and write some custom code.
Guess you already know about Issuance Rules... But in case someone else doesn't mind Issuance coming after the authentication - or you haven't found a solution...
If you have Exchange or another way (I've done this with Powershell) of building Dynamic Groups based on OU http://technet.microsoft.com/en-us/library/bb123722.aspx you can put them in groups based on their OU. Note if you use Exchange you'll have issues if OU 1 or OU 2 is a child of one another...
You can then (In the relying party claims) create an "Issuance Authorization Rule" to Deny Access to a particular Group SID. You just punch in the group you want to deny, and after they try to authenticate (correct password or no) they get denied. (The message is not pretty.)
They'll get the standard looking "You've misconfigured something" ADFS message with the following info:
Access Denied
Server Name
There was a problem accessing the site. Try to browse to the site again. If the problem persists, contact the administrator of this site and provide the reference number to identify the problem. You are not authorized to access this site.
Contact your administrator for more information. Reference number: dddddd-71aa-26bb-dd34-e4569b8c04452
