When integrating third-party applications via ADFS SAML authentication, many organizations face the challenge of uncontrolled user provisioning. The scenario described is common:
// Typical SAML flow causing auto-provisioning
1. User authenticates via ADFS
2. SAML assertion sent to SP (Service Provider)
3. SP automatically creates account based on NameID
4. Organization gets billed for each new account
The solution lies in configuring ADFS claim rules to only issue tokens for users in specific AD groups. Here's how to implement this:
// PowerShell to add ADFS claim rule
Add-AdfsClaimRule -ClaimRuleName "AllowOnlyChatUsers"
-ClaimRule '=> issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/role",
Value = "allowed",
Issuer = "AD AUTHORITY");
NOT EXISTS([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",
Value == "S-1-5-21-3623811015-3361044348-30300820-1013"])
=> add(Type = "http://schemas.microsoft.com/authorization/claims/deny",
Value = "true");'
For stronger control, combine group claims with authorization rules:
// Web.config snippet for relying party
<system.identityModel>
<identityConfiguration>
<claimsAuthorizationManager>
<policyConfiguration>
<requiredClaims>
<claim claimType="http://schemas.microsoft.com/ws/2008/06/identity/claims/role"
claimValue="allowed"/>
</requiredClaims>
</policyConfiguration>
</claimsAuthorizationManager>
</identityConfiguration>
</system.identityModel>
Implement logging to track authentication attempts:
// Event log monitoring query
Get-WinEvent -LogName "AD FS/Admin" |
Where-Object {$_.Id -eq "411" -and $_.Message -like "*token*"} |
Select-Object TimeCreated, Message
Some systems allow disabling auto-provisioning. For Microsoft Teams example:
// Graph API to pre-create users
POST https://graph.microsoft.com/v1.0/users
Content-Type: application/json
{
"accountEnabled": true,
"displayName": "Chat User",
"mailNickname": "chatuser",
"userPrincipalName": "chatuser@contoso.com",
"passwordProfile": {
"forceChangePasswordNextSignIn": false,
"password": "xWwvJ]6NMw+bWH-d"
}
}
When integrating third-party applications via ADFS SAML authentication, uncontrolled user provisioning can lead to unexpected licensing costs. The scenario occurs when:
- The application auto-provisions users upon first login
- Your organization gets billed per created account
- You need to limit access to specific business units
The most effective approach is implementing claim rules that filter by AD group membership. Here's how to configure this in ADFS Management:
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"), query = ";tokenGroups;{0}", param = c.Value);
Add this rule to only issue tokens for members of specific groups:
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value == "S-1-5-21-3623811015-3361044348-30300820-1013", Issuer == "AD AUTHORITY"]
=> issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "true");
- Identify the target AD group's SID (use
Get-ADGroupin PowerShell) - Create a new Issuance Authorization Rule in ADFS
- Combine with existing claim rules for your application
- Test with users both in and out of the target group
For applications that support it, you can implement a pre-authentication script:
// PowerShell example
$userGroups = Get-ADPrincipalGroupMembership $userName | Select-Object distinguishedName
if ($userGroups -notcontains "CN=AllowedUsers,OU=Groups,DC=domain,DC=com") {
Write-Output "Access Denied"
exit 1
}
After implementation:
- Set up ADFS auditing to track authentication attempts
- Create alerts for failed group-based authentications
- Regularly review group membership for compliance