Consider the following scenario:
Viewing the Relying Party Trust Identifier(s) a. Right-click the Contoso SharePoint relying party trust in AD FS 2.x Management, and select Properties b. Select the Identifiers tab and note all URI values in the list box Create an Issuance Authorization Rule to Restrict Access to Contoso SharePoint a. Right-click the Contoso SharePoint relying party trust in AD FS 2.x Management, and select Edit Claim Rules b. Select the Issuance Authorization Rules tab c. Remove all Issuance Authorization Rules from that list that no longer apply d. Add a new Issuance Authorization Rule by clicking the Add Rule button e. Claim rule template: Permit or Deny Users Based on an Incoming Claim, and click Next f. Claim rule name: Permit Only Sales Staff Members g. Incoming claim type: Group SID h. Incoming claim value: Click the Browse button and resolve the Active Directory group Sales Staff i. Select Permit access to users with this incoming claim j. Click Finish and click OK Edit error.aspx.cs Note: Do not copy/paste any code samples from this page directly. You should either type the code sample manually, or first paste the code sample into a text editor where there is no special character formatting. a. In Windows Explorer, explore to: C:\inetpub\adfs\ls b. Make a backup copy of the original error.aspx.cs file c. Open error.aspx.cs for editing in a text editor (i.e. - Notepad) d. Find the following lines of code: protected void Page_Load( object sender, EventArgs e ) { AuthorizationFailedException authorizationException = Exception as AuthorizationFailedException; AuthenticationFailedException authenticationException = Exception as AuthenticationFailedException; if( authorizationException != null ) { e. Move your cursor to the next line down, and replace the following code: // // To provide customized authorization error messages, inspect the RequestedRelyingParty // property of the authorizationException. It will contain the identifier of // the Relying Party Trust for whom the user is not authorized. // ExceptionMessageLabel.Visible = true; ExceptionMessageLabel.Text = Resources.CommonResources.UnauthorizedText; Title = Resources.CommonResources.AccessDeniedTitle; With the following code: // // To provide customized authorization error messages, inspect the RequestedRelyingParty // property of the authorizationException. It will contain the identifier of // the Relying Party Trust for whom the user is not authorized. // if (0 == Uri.Compare(authorizationException.RequestedRelyingParty, new Uri("https://sharepoint.contoso.com/"), UriComponents.Host | UriComponents.Path, UriFormat.UriEscaped, StringComparison.OrdinalIgnoreCase)) { Response.Redirect("https://FIM.adatum.com/requestAccess.aspx", true); } else { ExceptionMessageLabel.Visible = true; ExceptionMessageLabel.Text = Resources.CommonResources.UnauthorizedText; Title = Resources.CommonResources.AccessDeniedTitle; } You should now have the following code: //------------------------------------------------------------ // Copyright (c) Microsoft Corporation. All rights reserved. //------------------------------------------------------------ using System; using Microsoft.IdentityServer.Web; using Microsoft.IdentityServer.Web.UI; /// <summary> /// Shows the error page /// </summary> public partial class Error : ErrorPage { protected void Page_Load( object sender, EventArgs e ) { AuthorizationFailedException authorizationException = Exception as AuthorizationFailedException; AuthenticationFailedException authenticationException = Exception as AuthenticationFailedException; if( authorizationException != null ) { // // To provide customized authorization error messages, inspect the RequestedRelyingParty // property of the authorizationException. It will contain the identifier of // the Relying Party Trust for whom the user is not authorized. // if (0 == Uri.Compare(authorizationException.RequestedRelyingParty, new Uri("https://sharepoint.contoso.com/"), UriComponents.Host | UriComponents.Path, UriFormat.UriEscaped, StringComparison.OrdinalIgnoreCase)) { Response.Redirect("https://FIM.adatum.com/requestAccess.aspx", true); } else { ExceptionMessageLabel.Visible = true; ExceptionMessageLabel.Text = Resources.CommonResources.UnauthorizedText; Title = Resources.CommonResources.AccessDeniedTitle; } } else if( authenticationException != null ) { ExceptionMessageLabel.Visible = true; ExceptionMessageLabel.Text = Resources.CommonResources.UnauthenticatedText; } else { ExceptionMessageLabel.Visible = System.Web.Configuration.WebConfigurationManager.AppSettings[ "displayExceptions" ] != null; ExceptionMessageLabel.Text = Exception != null ? Exception.Message : String.Empty; } } } Test Access a. Attempt sign-in as a user in the Sales Staff group Expected result: Access granted to Contoso SharePoint b. Attempt sign-in as a user who is not a member of the Sales Staff group Expected result: Access denied to Contoso SharePoint, and the user should land on the redirect page (i.e. - FIM) Notes: a. If you find that everyone is allowed or everyone is denied, go back and take a look at your Issuance Authorization Rule for issues b. If you find that, when access has been denied, the user lands on a blank white screen, this likely indicates that error.aspx.cs failed to compile, and you have an issue in your code c. If your relying party has multiple identifiers or you would like to implement this solution for multiple relying parties, add additional condition statements to error.aspx.cs like this: if (0 == Uri.Compare(authorizationException.RequestedRelyingParty, new Uri("https://RP1.contoso.com/"), UriComponents.Host | UriComponents.Path, UriFormat.UriEscaped, StringComparison.OrdinalIgnoreCase)) { Response.Redirect("https://FIM.adatum.com/requestAccess.aspx", true); } else if (0 == Uri.Compare(authorizationException.RequestedRelyingParty, new Uri("https://RP2.contoso.com/"), UriComponents.Host | UriComponents.Path, UriFormat.UriEscaped, StringComparison.OrdinalIgnoreCase)) { Response.Redirect("http://www.bing.com", true); } else if (0 == Uri.Compare(authorizationException.RequestedRelyingParty, new Uri("https://RP3.contoso.com/"), UriComponents.Host | UriComponents.Path, UriFormat.UriEscaped, StringComparison.OrdinalIgnoreCase)) { Response.Redirect(http://contoso.com/RP3DeniedCustom.aspx, true); } else { ExceptionMessageLabel.Visible = true; ExceptionMessageLabel.Text = Resources.CommonResources.UnauthorizedText; Title = Resources.CommonResources.AccessDeniedTitle; }
a. Right-click the Contoso SharePoint relying party trust in AD FS 2.x Management, and select Properties b. Select the Identifiers tab and note all URI values in the list box
a. Right-click the Contoso SharePoint relying party trust in AD FS 2.x Management, and select Edit Claim Rules b. Select the Issuance Authorization Rules tab c. Remove all Issuance Authorization Rules from that list that no longer apply d. Add a new Issuance Authorization Rule by clicking the Add Rule button e. Claim rule template: Permit or Deny Users Based on an Incoming Claim, and click Next f. Claim rule name: Permit Only Sales Staff Members g. Incoming claim type: Group SID h. Incoming claim value: Click the Browse button and resolve the Active Directory group Sales Staff i. Select Permit access to users with this incoming claim j. Click Finish and click OK
Note: Do not copy/paste any code samples from this page directly. You should either type the code sample manually, or first paste the code sample into a text editor where there is no special character formatting. a. In Windows Explorer, explore to: C:\inetpub\adfs\ls b. Make a backup copy of the original error.aspx.cs file c. Open error.aspx.cs for editing in a text editor (i.e. - Notepad) d. Find the following lines of code: protected void Page_Load( object sender, EventArgs e ) { AuthorizationFailedException authorizationException = Exception as AuthorizationFailedException; AuthenticationFailedException authenticationException = Exception as AuthenticationFailedException; if( authorizationException != null ) { e. Move your cursor to the next line down, and replace the following code: // // To provide customized authorization error messages, inspect the RequestedRelyingParty // property of the authorizationException. It will contain the identifier of // the Relying Party Trust for whom the user is not authorized. // ExceptionMessageLabel.Visible = true; ExceptionMessageLabel.Text = Resources.CommonResources.UnauthorizedText; Title = Resources.CommonResources.AccessDeniedTitle; With the following code: // // To provide customized authorization error messages, inspect the RequestedRelyingParty // property of the authorizationException. It will contain the identifier of // the Relying Party Trust for whom the user is not authorized. // if (0 == Uri.Compare(authorizationException.RequestedRelyingParty, new Uri("https://sharepoint.contoso.com/"), UriComponents.Host | UriComponents.Path, UriFormat.UriEscaped, StringComparison.OrdinalIgnoreCase)) { Response.Redirect("https://FIM.adatum.com/requestAccess.aspx", true); } else { ExceptionMessageLabel.Visible = true; ExceptionMessageLabel.Text = Resources.CommonResources.UnauthorizedText; Title = Resources.CommonResources.AccessDeniedTitle; } You should now have the following code: //------------------------------------------------------------ // Copyright (c) Microsoft Corporation. All rights reserved. //------------------------------------------------------------ using System; using Microsoft.IdentityServer.Web; using Microsoft.IdentityServer.Web.UI; /// <summary> /// Shows the error page /// </summary> public partial class Error : ErrorPage { protected void Page_Load( object sender, EventArgs e ) { AuthorizationFailedException authorizationException = Exception as AuthorizationFailedException; AuthenticationFailedException authenticationException = Exception as AuthenticationFailedException; if( authorizationException != null ) { // // To provide customized authorization error messages, inspect the RequestedRelyingParty // property of the authorizationException. It will contain the identifier of // the Relying Party Trust for whom the user is not authorized. // if (0 == Uri.Compare(authorizationException.RequestedRelyingParty, new Uri("https://sharepoint.contoso.com/"), UriComponents.Host | UriComponents.Path, UriFormat.UriEscaped, StringComparison.OrdinalIgnoreCase)) { Response.Redirect("https://FIM.adatum.com/requestAccess.aspx", true); } else { ExceptionMessageLabel.Visible = true; ExceptionMessageLabel.Text = Resources.CommonResources.UnauthorizedText; Title = Resources.CommonResources.AccessDeniedTitle; } } else if( authenticationException != null ) { ExceptionMessageLabel.Visible = true; ExceptionMessageLabel.Text = Resources.CommonResources.UnauthenticatedText; } else { ExceptionMessageLabel.Visible = System.Web.Configuration.WebConfigurationManager.AppSettings[ "displayExceptions" ] != null; ExceptionMessageLabel.Text = Exception != null ? Exception.Message : String.Empty; } } }
Note: Do not copy/paste any code samples from this page directly. You should either type the code sample manually, or first paste the code sample into a text editor where there is no special character formatting. a. In Windows Explorer, explore to: C:\inetpub\adfs\ls b. Make a backup copy of the original error.aspx.cs file c. Open error.aspx.cs for editing in a text editor (i.e. - Notepad) d. Find the following lines of code: protected void Page_Load( object sender, EventArgs e ) { AuthorizationFailedException authorizationException = Exception as AuthorizationFailedException; AuthenticationFailedException authenticationException = Exception as AuthenticationFailedException; if( authorizationException != null ) { e. Move your cursor to the next line down, and replace the following code: // // To provide customized authorization error messages, inspect the RequestedRelyingParty // property of the authorizationException. It will contain the identifier of // the Relying Party Trust for whom the user is not authorized. // ExceptionMessageLabel.Visible = true; ExceptionMessageLabel.Text = Resources.CommonResources.UnauthorizedText; Title = Resources.CommonResources.AccessDeniedTitle; With the following code:
// // To provide customized authorization error messages, inspect the RequestedRelyingParty // property of the authorizationException. It will contain the identifier of // the Relying Party Trust for whom the user is not authorized. //
if (0 == Uri.Compare(authorizationException.RequestedRelyingParty, new Uri("https://sharepoint.contoso.com/"), UriComponents.Host | UriComponents.Path, UriFormat.UriEscaped, StringComparison.OrdinalIgnoreCase)) { Response.Redirect("https://FIM.adatum.com/requestAccess.aspx", true); } else { ExceptionMessageLabel.Visible = true; ExceptionMessageLabel.Text = Resources.CommonResources.UnauthorizedText; Title = Resources.CommonResources.AccessDeniedTitle; } You should now have the following code:
//------------------------------------------------------------ // Copyright (c) Microsoft Corporation. All rights reserved. //------------------------------------------------------------ using System; using Microsoft.IdentityServer.Web; using Microsoft.IdentityServer.Web.UI; /// <summary> /// Shows the error page /// </summary> public partial class Error : ErrorPage { protected void Page_Load( object sender, EventArgs e ) { AuthorizationFailedException authorizationException = Exception as AuthorizationFailedException; AuthenticationFailedException authenticationException = Exception as AuthenticationFailedException; if( authorizationException != null ) { // // To provide customized authorization error messages, inspect the RequestedRelyingParty // property of the authorizationException. It will contain the identifier of // the Relying Party Trust for whom the user is not authorized. // if (0 == Uri.Compare(authorizationException.RequestedRelyingParty, new Uri("https://sharepoint.contoso.com/"), UriComponents.Host | UriComponents.Path, UriFormat.UriEscaped, StringComparison.OrdinalIgnoreCase)) { Response.Redirect("https://FIM.adatum.com/requestAccess.aspx", true); } else { ExceptionMessageLabel.Visible = true; ExceptionMessageLabel.Text = Resources.CommonResources.UnauthorizedText; Title = Resources.CommonResources.AccessDeniedTitle; } } else if( authenticationException != null ) { ExceptionMessageLabel.Visible = true; ExceptionMessageLabel.Text = Resources.CommonResources.UnauthenticatedText; } else { ExceptionMessageLabel.Visible = System.Web.Configuration.WebConfigurationManager.AppSettings[ "displayExceptions" ] != null; ExceptionMessageLabel.Text = Exception != null ? Exception.Message : String.Empty; } } }
//------------------------------------------------------------ // Copyright (c) Microsoft Corporation. All rights reserved. //------------------------------------------------------------
using System;
using Microsoft.IdentityServer.Web; using Microsoft.IdentityServer.Web.UI;
/// <summary> /// Shows the error page /// </summary> public partial class Error : ErrorPage { protected void Page_Load( object sender, EventArgs e ) { AuthorizationFailedException authorizationException = Exception as AuthorizationFailedException; AuthenticationFailedException authenticationException = Exception as AuthenticationFailedException; if( authorizationException != null ) { // // To provide customized authorization error messages, inspect the RequestedRelyingParty // property of the authorizationException. It will contain the identifier of // the Relying Party Trust for whom the user is not authorized. //
if (0 == Uri.Compare(authorizationException.RequestedRelyingParty, new Uri("https://sharepoint.contoso.com/"), UriComponents.Host | UriComponents.Path, UriFormat.UriEscaped, StringComparison.OrdinalIgnoreCase)) { Response.Redirect("https://FIM.adatum.com/requestAccess.aspx", true); } else { ExceptionMessageLabel.Visible = true; ExceptionMessageLabel.Text = Resources.CommonResources.UnauthorizedText; Title = Resources.CommonResources.AccessDeniedTitle; } } else if( authenticationException != null ) { ExceptionMessageLabel.Visible = true; ExceptionMessageLabel.Text = Resources.CommonResources.UnauthenticatedText; } else { ExceptionMessageLabel.Visible = System.Web.Configuration.WebConfigurationManager.AppSettings[ "displayExceptions" ] != null; ExceptionMessageLabel.Text = Exception != null ? Exception.Message : String.Empty; } } }
a. Attempt sign-in as a user in the Sales Staff group Expected result: Access granted to Contoso SharePoint b. Attempt sign-in as a user who is not a member of the Sales Staff group Expected result: Access denied to Contoso SharePoint, and the user should land on the redirect page (i.e. - FIM)
a. If you find that everyone is allowed or everyone is denied, go back and take a look at your Issuance Authorization Rule for issues b. If you find that, when access has been denied, the user lands on a blank white screen, this likely indicates that error.aspx.cs failed to compile, and you have an issue in your code c. If your relying party has multiple identifiers or you would like to implement this solution for multiple relying parties, add additional condition statements to error.aspx.cs like this: if (0 == Uri.Compare(authorizationException.RequestedRelyingParty, new Uri("https://RP1.contoso.com/"), UriComponents.Host | UriComponents.Path, UriFormat.UriEscaped, StringComparison.OrdinalIgnoreCase)) { Response.Redirect("https://FIM.adatum.com/requestAccess.aspx", true); } else if (0 == Uri.Compare(authorizationException.RequestedRelyingParty, new Uri("https://RP2.contoso.com/"), UriComponents.Host | UriComponents.Path, UriFormat.UriEscaped, StringComparison.OrdinalIgnoreCase)) { Response.Redirect("http://www.bing.com", true); } else if (0 == Uri.Compare(authorizationException.RequestedRelyingParty, new Uri("https://RP3.contoso.com/"), UriComponents.Host | UriComponents.Path, UriFormat.UriEscaped, StringComparison.OrdinalIgnoreCase)) { Response.Redirect(http://contoso.com/RP3DeniedCustom.aspx, true); } else { ExceptionMessageLabel.Visible = true; ExceptionMessageLabel.Text = Resources.CommonResources.UnauthorizedText; Title = Resources.CommonResources.AccessDeniedTitle; }
Maheshkumar S Tiwari edited Original. Comment: Added Tag