使用简单规则取得一些成功后,在ADFS声明规则中遇到问题PowerShell SnapIn:
-
如何删除规则 . 编辑:=>穷人的方式似乎只是定义一个新的空规则集 .
-
如何在不在一个命令中设置所有规则的情况下附加规则 .
-
规则内逻辑决策的语法 . 我的尝试:
Set-AdfsAdditionalAuthenticationRule -AdditionalAuthenticationRules 'c1:[type ==
"http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", value == "false"] &&
(NOT EXISTS([type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-ip",
Value =~ "^(?i)2003:6a:7d12:3f58:148:f23:cdc4:4181$"]))
=> issue(type =
"http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", value =
"http://schemas.microsoft.com/claims/multipleauthn" );'
无论我做什么,都会在“NOT EXISTS”中产生错误 . 任何帮助非常感谢 . 我们的想法是要求除IP列表(正则表达式)之外的所有外部IP都使用MFA .
EDIT: I TRIED THE FOLLOWING
我仍然无法工作的唯一事情是IP地址检查 . 有没有办法我可以调试看看发生了什么(ip发现或正则表达式的结果等)?
$RhtMfaClaimRule = 'NOT EXISTS([type ==
"http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-ip", Value =~ "^(?i)81.151.139.145$"]) => add(type = "http://schemas.company.com/temp", value = "true" );
c1:[type == "http://schemas.company.com/temp"] &&
c2:[type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", value == "false"] => issue(type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", value = "http://schemas.microsoft.com/claims/multipleauthn" );'
Set-AdfsAdditionalAuthenticationRule $RhtMfaClaimRule
EDIT: Learned from logging 这些规则似乎没问题,因为过滤后的IP的正则表达式".asterix"会根据预期从外部关闭MFA . 但是只要我将其更改为除.asterix之外的任何内容,我都会再次提示您输入MFA . 因此,怀疑client-ip声明,查看日志 . 我看到调用IP在请求上下文头中是可见的,到目前为止一直很好,但在成千上万的跟踪条目中,我还没有看到client-ip声明 . 我怀疑我必须告诉Office365在我的ADFS-daschboard "Edit Claim rules for Microsoft Identity Platform"中转发它 . 知道我需要准确添加哪个client-ip声明要转发吗?
EDIT. Probably SOLVED
以下显示的帖子有所帮助 . 上面使用的ms-client-ip声明显然仅适用于内部客户端 . 绝望让我真正看到索赔细节,并且从请求上下文中替换x-ms-client索赔与下面的索赔显然有效 - 初始测试成功 .
http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip
1 回答
你不能和EXISIS规则AFAIK .
尝试类似的东西:
NOT EXISTS([type ==“http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-ip ", Value =~ " ^(?i)2003:6a:7d12:3f58:148:f23:cdc4:4181 $ "])) => add(type = " http://schemas.company.com/temp ", value = " true”);
然后:
c1:[type ==“http://schemas.company.com/temp "] && c2:[type == " http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork ", value == " false "] => issue(type = " http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod ", value = " http://schemas.microsoft.com/claims/multipleauthn”);'