Step 3: Setup ADFS Authorization

ADFS allows two different concepts to authorize users

  • Permit all users to access this relying party This setting will permit all users to access the Starmind application.

  • Deny all users access to this relying party This setting will deny all users access to the Starmind application. You must later add "Issuance Authorization" rules to enable certain user or groups to access the Starmind application.

Explicitly Grant Access

You need to add a new Issuance Authorization Rule for the previously configured Relying Party Trust to explicitly grant access to certain users or a certain AD groups

"StarmindAllowed" is a Active Directory Group we added especially for this purpose.

Claim rule language, where the "S-1-5-21-3117998965-3487899567-1920054627-1603" is the GroupSID fo the group "StarmindAllowed":

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value =~ "^(?i)S-1-5-21-3117998965-3487899567-1920054627-1603$"]
 => issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "PermitUsersWithClaim");