Hi all,
I went through the link http://blogs.technet.com/b/askds/archive/2012/06/26/an-adfs-claims-rules-adventure.aspx to test claim based access rules.
As far as I understand using below rule, we can create a rule to deny "passive - claims" (for instance OWA) that hist specific ADFS Proxy server and members of specific group.
exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy", Value =~ "\badfsp[0-9][0-9]\b"])
&& exists([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value =~ "S-1-5-21-299502267-1364589140-1177238915-114465"])
&& exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path", Value == "/adfs/ls/"])
=> issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "true");
What I want to achieve is to create a rule to deny OWA access coming from external clients. I know this is not a scenario supported in thi link (http://technet.microsoft.com/en-us/library/hh526961(v=ws.10).aspx) but according the logic If I add all my users to one group and create above rule, It should work.
I need your insigths. Thanks!