I'm trying to make a Authorization Rule in ADFS 3.0, disabling some users in a specific "OU" form using a "relying party", with no success.
On the Issuance Transform Rules, i've configured the claim "http://schemas.microsoft.com/ws/2008/06/identity/claims/distinguishedname" to get the Distinguished name from AD.
Here is an example: CN=John Doe,OU=XYZ,OU=ABC,DC=CONTOSO,DC=com
This rule should deny access from users in the XPTO OU
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/distinguishedname", Value =~ "^[^,]*,OU=XPTO.*$"]
=> issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "true");
And this rule should permit access for all users outside the XPTO OU
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/distinguishedname", Value !~ "^[^,]*,OU=XPTO.*$"]
=> issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "true");
But, instead these rules grant access to some users and deny others, they deny access to all users
Can you shed some light on this issue?
