search

X-Guardian / AdfsDsc

DSC resources for deployment and configuration of Active Directory Federation Services
MIT License
9 stars 5 forks source link

AdfsWebApiApplication: Add Support for Custom Access Control Policy Parameters #20

Open X-Guardian opened 4 years ago

X-Guardian commented 4 years ago

To support custom Access Control Policy Parameters, the MSFT_AdfsAccessControlPolicyParameters class needs extending with the following additional parameters:

Parameter Type ValueMap Description
ClaimsParameter MSFT_AdfsClaim Array Specifies the claims to match in the request
GroupExceptionParameter String Array Specifies the exception group name
ClaimsExceptionParameter MSFT_AdfsClaim Array Specifies the exception claims to match in the request

The MSFT_AdfsClaim class would contain the following properties:

Parameter Type ValueMap Description
ClaimType String Specifies the claim type
Operator String "Equals", "IsPresent", "RegexMatches", "Contains", "StartsWith", "EndsWith", "IssuerEquals", "OriginalIssuerEquals" Specifies the claim operator
Value String Specifies the claim value

Example AccessControlPolicyParameters property:

AccessControlPolicyParameters = MSFT_AdfsAccessControlPolicyParameter
@{
    GroupParameter           = @(
        'CONTOSO\AppGroup1 Users'
        'CONTOSO\AppGroup1 Admins'
    )
    ClaimsParameter          = @(
        MSFT_AdfsClaim
        {
            ClaimType = 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name'
            Operator  = 'Equals'
            Value     = 'test'
        }
    )
    GroupExceptionParameter  = @(
        'CONTOSO\AppGroup1 Banned Users'
        'CONTOSO\AppGroup1 Banned Admins'
    )
    ClaimsExceptionParameter = @(
        MSFT_AdfsClaim
        {
            ClaimType = 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name'
            Operator  = 'Equals'
            Value     = 'test2'
        }
    )
}