locked
ADFS 2.0 Authorization Rules...Need More Info On Why User Is Not Authorized RRS feed

  • Question

  • I'm trying to figure out a way to get ADFS to return more detailed info in the AuthorizationFailedException.  There are a many reasons a user might not be authorized based on how I have rules set up for each relying party.  I'd like to take a specific action based on why they aren't authorized. The only property available is the relying party identifier. 

    I have an ADFS authorization rule that calls a stored procedure to figure out if a given user is authorized to access the relying party and returns some additional data about why a user isn't authorized.  It's in the format of [authorized(true|false)|reason].  So the authorized claim might look like false|NeedApproval. In this case, I'd want to kick off some workflow to request access for the user...but that's outside of the scope of ADFS.

    I created a custom attribute store that takes the authorization claim as a parameter and parses it.  I was hoping if I threw a custom exception with the appropriate data it would bubble up to error.aspx and I could handle it appropriately.  However, any exception that occurs in an attribute store gets thrown away by ADFS and ultimately an AuthorizationFailedException is returned.

    I'm trying to avoid making an additional call in error.aspx to determine why a user isn't authorized since I've already made the call...but it's not looking feasible.  Any suggestions are appreciated.

    Friday, February 8, 2013 10:26 PM

All replies

  • Mind that the error.aspx page is only working for the WS-Federation protocol.. Not the SAML protocol...

    MCPD

    Tuesday, February 12, 2013 1:33 PM
  • Good point.  Any suggestions on how I could intercept an unauthorized response from ADFS and act accordingly?  ADFS isn't very extensible...might be easier if most classes weren't marked as internal.
    Tuesday, February 12, 2013 2:37 PM
  • It's challanging indeed. You can try this:

    Enable formbased auth

    Enable Intergrated auth in IIS on formbased

    Check in formssignin.aspx.cs if the user has the correct rights in sql(user doesn't have to login here due the Intergrated auth enabled in IIS). You can get the current logged on identity out of some propertie.

    -If not, show there the error message

    -If user has correct rights: redirect to intergrated auth.

    We've emplemented a scenario's which looks a lot like yours. I can tell you the scenario above works.


    MCPD




    • Edited by Robin Gaal Wednesday, February 13, 2013 12:47 PM
    Wednesday, February 13, 2013 12:42 PM
  • How would you handle SSO scenarios where formssignin.aspx will never get hit?  Also, we're using ADFS in a non-standard fashion.  We're using it as an Idp for external accounts (non-corporate) so integrated auth will never work.  I think I'm going to have to crack open the ADFS dlls and figure out if using AOP will allow me to intercept the request at the right point and act appropriately.  I'll be sure to post if I figure out a solution.
    Wednesday, February 13, 2013 2:32 PM
  • How would you handle SSO scenarios where formssignin.aspx will never get hit?  Also, we're using ADFS in a non-standard fashion.  We're using it as an Idp for external accounts (non-corporate) so integrated auth will never work.  I think I'm going to have to crack open the ADFS dlls and figure out if using AOP will allow me to intercept the request at the right point and act appropriately.  I'll be sure to post if I figure out a solution.

    So you are already using form based (formssignin.aspx) to authenticate the user? This makes it easier. There should be a way without reflecting the adfs dlls..

    MCPD

    Wednesday, February 13, 2013 3:42 PM
  • Yes, we're using forms authentication.  It would be easy to catch on first login (and we are).  However, if the user is already logged in and accesses another application the forms sign in page never gets hit because they are SSO'd into the app. 
    Wednesday, February 13, 2013 4:13 PM
  • Valid point.. Maybe you can make th RP's catch the denied claim and do something there?

    MCPD

    Thursday, February 14, 2013 11:42 AM
  • I second Shawn's interest in being able to tap into the behavior of what happens when ADFS's claims issuance policies are not satisfied in the passive authentication case... e.g., it would be nice to be able to redirect the user to another federated claims provider that can supply the necessary claims, or display a message on how to request access, but it means a lot of duplicate work if the context for why ADFS denied access is absent.


    Steve Kradel, Zetetic LLC SMS OTP for FIM | Salesforce MA for FIM


    • Edited by Steve Kradel Thursday, February 14, 2013 3:43 PM
    Thursday, February 14, 2013 3:42 PM
  • Figured I update everyone on my findings.  I spoke with the Microsoft ADFS experts and they didn't have a good solution either.  I ended up writing an HttpModule that I plugged into the ADFS website.  On PreSendRequestContent I inspect the response to see if it is an authorization failed response.

    If it's a SAML response I decode and inspect the value of the SAMLResponse for urn:oasis:names:tc:SAML:2.0:status:RequestDenied.

    If it's WS-Fed I look for the content I display on error.aspx when it's an authorization failure. 

    In both scenarios I clear the contents of the response, set the status code to redirect, and set the redirect location to an application that doesn't have any authorization rules with the original application passed as a query string parameter.  It's job is to figure out why the user wasn't authorized to the original application and take the appropriate action.

    I'm going to create a custom attribute store that calls a web service to figure out if a user is authorized.  This should ensure a consistent response between ADFS and my routing application that figures out why a user wasn't authorized. 

    Wednesday, March 20, 2013 9:42 PM
  • Shawn,

    This sounds like a workable solution. Is there any way that you can post your HTTP module code or point to the sample that you used to get you started?

    - Hugh

    Monday, May 6, 2013 11:02 PM