到目前为止,我们已经完成了ADFS的部署工作,在之前的测试里也可以看到我们在登录的时候已经是重定向到本地ADFS了,并且也可以看到一些审核的log,接下来就是我们的重点工作,如何通过Claim Rules来实现我们想要限定哪些用户在哪些区域可以登录的行为


    想要实现我们之前说的场景,在ADFS里主要是通过claim rules,他可以支持各种各样的场景,微软也有比较详细的文档和demo来告诉你这个东西怎么用,在使用的时候我们可以先查看一下官方文档,来看是不是可以支持我们的想法,之后再把对应的rules结合自己的需要进行修改即可


    想要了解可以支持的rules,还有场景,可以参考微软的官方文档


    Limiting Access to Office 365 Services Based on the Location of the Client

    https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/hh526961(v=ws.10)#build


    

    Client Access Policy Scenarios

    https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/hh526961(v=ws.10)#client-access-policy-scenarios



    这是ADFS 2.0的文档,不过在2012 R2里试了下应该也还能用。下边来看具体如何操作


    限制用户登录的位置,其实说白了可以理解就是限制登陆IP,ADFS可以支持很多种场景,我们需要的其实就在这里边


ScenarioDescription
Block all external access to Office 365Office 365 access is allowed from all clients on the internal corporate network, but requests from external clients are denied based on the IP address of the external client.
Block all external access to Office 365, except Exchange ActiveSyncOffice 365 access is allowed from all clients on the internal corporate network, as well as from any external client devices, such as smart phones, that make use of Exchange ActiveSync. All other external clients, such as those using Outlook, are blocked.
Block all external access to Office 365, except for browser-based applications such as Outlook Web Access or SharePoint Online    Blocks external access to Office 365, except for passive (browser-based) applications such as Outlook Web Access or SharePoint Online.
Block all external access to Office 365 for members of designated Active Directory groupsThis scenario is used for testing and validating client access policy deployment. It blocks external access to Office 365 only for members of one or more Active Directory group. It can also be used to provide external access only to members of a group.



    接下来我们就来看下具体如何配置


     1.首先打开ADFS管理器,找到Trust Relationships->Claims Provider Trusts,右边点击编辑 claim rules图像 046.png



    2.选择Add Rules图像 047.png


    3.选择 Pass Through Or Filter an Incoming Claim图像 048.png



    4.type位置输入http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip

图像 049.png



    5.之后依次添加其他Rules

http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application

http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent

http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy

http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path

图像 050.png



    6.找到Trust Relationships->Relying Party Trusts,右键点击编辑 claim rules图像 051.png



    7.在Issuance Authorization Rules选项卡点击添加rules图像 052.png


    8.选择send Claims Using a Custom Rule

图像 053.png


    9.这里就是重点了,在这里要输入你的deny 的rules,我们就是靠这个去限制用户登录的行为的图像 054.png


    这里需要注意的有两点,一个是Value =~ "S-1-5-21-2595707816-3332463818-32960013-1109",这个其实是组的SID,把需要限制的用户加到这个组里,然后再把这个组的SID加入到这里,还有一个是Value=~"customer-provided public ip address regex,这里需要输入的是IP地址或者一个表达式,这个IP相当于一个白名单,也就是说用户只有从这个IP访问才可以被允许,否则都将被拒绝(只是对外部用户来说)

    

exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"]) &&

exists([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value =~ "S-1-5-21-2595707816-3332463818-32960013-1109"]) &&

NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip",

Value=~"customer-provided public ip address regex"])

=> issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "true");


    设置好了后,将这条rules的优先级提高,通过这个rules,我们就可以实现最终的效果了


    可以看下,正常用户的登录效果是这样的

图片1.png


    但是如果登录的用户是从外网登录的,那么就会收到下边的提示

    图片2.png



    至此,我们的工作基本上已经实现了,claim rules还可以限制特定的产品,总体来说通过ADFS+O365可以实现的访问控制要比单纯的O365强大许多