Consider the below Sample Scenario:
Can this be possible ? Can we restrict ADFS 2.0 to work only under a particular OU ?
Though restricting ADFS 2.0 to work under a specific OU is not feasible (from the resources I read and IMHO), we can restrict the user access within a specific OU.
This can be accomplished in two steps:
Add a claim rule to extract AD object DN.
• To extract this claim, from ADFS admin console, go to ADFS 2.0 - > Trust Relationship -> Claims provider Trusts -> Click on the Active Directory -> Edit claim rules.
• Under acceptance transformation rule, add a new rule
Claim rule name – DN (can be anything)
LDAP Attribute – distinguishedname
Outgoing claim type – http://temp.org/claims/DistinguishedName
• This will extract the DN of each object in the AD
Add a new authorization rule (in relying party trust of the required application) to allow users from a particular OU to access the application.
• Go to ADFS admin console -> Trust Relationship ->Relying party trusts -> Select the application -> Edit claim rules
• Under Issuance authorization rules (second tab), remove the existing rule “ Allow all users” (if any) and add a new rule under - Send claims using a custom rule: Name: XXX (any value)
Custome rule:
c:[Type == "http://temp.org/claims/DistinguishedName", Value =~"^.* (OU=EMPLOYEES,OU=Org-Users,DC=ADCORP,DC=LAB)$"] => issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "PermitUsersWithClaim");
For example: Users in OU=Users,OU=EMPLOYEES,OU=Org-users,DC=ADCORP,DC=LAB would have access
Users in OU=Admins,OU=EMPLOYEES,OU=Org-Users,DC=ADCORP,DC=LAB would have access
Users in OU=Users,OU=CONTRACTORS,OU=Org-Users,DC=ADCORP,DC=LAB would NOT have access
For more details about adding DN, please refer to this link and for details about adding the custom rule, refer to the msdn post.