{"id":266,"date":"2018-01-11T16:32:55","date_gmt":"2018-01-11T08:32:55","guid":{"rendered":"https:\/\/rol801.com\/wordpress\/?p=266"},"modified":"2018-01-11T16:32:55","modified_gmt":"2018-01-11T08:32:55","slug":"my-adfs-claims-rules-journey-part-1","status":"publish","type":"post","link":"https:\/\/rol801.com\/wordpress\/?p=266","title":{"rendered":"My ADFS Claims Rules Journey – Part 1"},"content":{"rendered":"

\"\"<\/p>\n

 <\/p>\n

 <\/p>\n

\u4fc2\u505aMDM\u5605\u904e\u7a0b\uff0c\u81ea\u5df1\u4e00\u5373\u907f\u514d\u5605\u4fc2\u5514\u597d\u7528Office365\u3002
\n\u9ede\u89e3\u5481\u8ad7\uff1f\u4fc2\u56e0\u70ba\u82e5\u7121\u8fa6\u6cd5\u597d\u597dRestrict \u8857\u5916Unauthorized Access\u7684\u8a71\u3002User\u53ef\u4ee5\u96a8\u4fbf\u52a0Email account\u6536Email\uff0c\u5481\u6574\u5957MDM\u76f8\u7b49\u660e\u5b58\u5be6\u4ea1\u3002<\/p>\n

\u800c\u666e\u904d\u7528Mail\u591a\u5605\uff0c\u81ea\u5df1\u9996\u5148\u6703\u91dd\u5c0d\u9ede\u6a23\u5c01Exchange Online\uff0c\u4e0d\u8ad6\u4fc2Android\/iOS \u5605Native Client\uff0c\u751a\u81f3\u4fc2Outlook Mobile App\uff0c\u90fd\u4fc2\u8981\u5c01\u5605\u5c0d\u8c61\u3002<\/p>\n

\u9996\u5148\u8981\u63d0\u5605\u4fc2\uff0c\u771f\u4fc2\u591a\u5f97iOS11\u4fc217\u5e74\u4e5d\u6708\u51fa\u5de6\uff0c\u5572\u82b1\u5de6\u5514\u5c0f\u6642\u9593\u505a\u843d\u5605Claims Rule \u5931\u6548\u3002<\/p>\n

\u7c21\u55ae\u4ee5\u689d\u7247\u569f\u505aSample\uff0c\u540ciOS11\u4e4b\u524d\u5605\u5dee\u5225\u3002\u7576\u7528\u5664Sign-In\u4e4b\u5f8c\uff0c\u6703redirect \u53bb\u53e6\u4e00\u500bWebPage\u53bb\u7e7c\u7e8cAuthentication\u00a0\u3002\u5462\u7a2e\u5c31\u4fc2Passive Authentication<\/p>\n

\u8b1b\u5481\u591a\u505a\u54a9\uff1f\u5c31\u4fc2Passive Authentication(Modern Authentication)\u4ee4\u5230\u4ee5\u5f80\u505a\u843d\u5605Claim rules \u5ee2\u6b66\u529f\u3002<\/p>\n

\u4ee5\u4e0b\u4fc2 \u4fc2iOS 11 \u524d\u7528\u7dca\u5605rules<\/p>\n

exists([Type == “http:\/\/schemas.microsoft.com\/2012\/01\/requestcontext\/claims\/x-ms-proxy”]) &&<\/p>\n

exists([Type == “http:\/\/schemas.microsoft.com\/2012\/01\/requestcontext\/claims\/x-ms-client-application”, Value =~ “Microsoft.Exchange.ActiveSync”])<\/span>
\n&&<\/p>\n

NOT exists([Type == “http:\/\/schemas.microsoft.com\/ws\/2008\/06\/identity\/claims\/groupsid”, Value == “S-1-5-21-xxxxxxx”])
\n&&<\/p>\n

NOT exists([Type == “http:\/\/schemas.microsoft.com\/2012\/01\/requestcontext\/claims\/x-ms-forwarded-client-ip”, Value =~ “\\bxxx\\.xxx\\.xxx\\.xxx\\b”])
\n=> issue(Type = “http:\/\/schemas.microsoft.com\/authorization\/claims\/deny”, Value = “true”);<\/p>\n

\u539f\u610f\u89e3\u8aaa\uff1a<\/p>\n

Rule1 \u7576Connection\u4fc2\u7531\u8857\u5916\uff0c<\/p>\n

Rule 2 Client Type\u4fc2ActiveSync\uff0c<\/p>\n

Rule 3 User\u5514\u5c6c\u65bcPermitted Group<\/p>\n

Rule 4 \u5514\u4fc2\u7531\u6307\u5b9aActiveSync Proxy IP Connect\u904e\u9ece<\/p>\n

\u5168\u90e8\u7b26\u5408 \u5c31\u6703\u4ffeDeny Claim<\/p>\n

\u56e0\u70baRule2\u4fc2Passive Authentication \u518d\u7121X-MS-Client-Application\u5605claim value\uff0c\u7121\u8fa6\u6cd5\u78ba\u5b9aClient Application Type\uff0c\u7d50\u679c\u6703\u4fc2\u540c\u5176\u4ed6Browser Based Application \u4e00\u6a23Allow Access<\/p>\n

 <\/p>\n

To Be Continue in Part 2<\/p>\n

 <\/p>\n

Reference\u00a0from Link1<\/strong><\/p>\n

Background<\/h2>\n

Based on the latest beta builds, Apple has added OAuth 2.0 support for Microsoft Exchange accounts in iOS 11, showing an increased commitment to device security. In my opinion, this may be iOS 11\u2019s least talked about, but most impactful feature for enterprises because of the implications for securing iOS with Office 365 and Exchange Online. Let\u2019s dig deeper.<\/p>\n

A Brief History on Securing Exchange ActiveSync<\/h2>\n

Prior to iOS 11\u2019s OAuth 2.0 implementation, ActiveSync email clients such as iOS\u2019s native email handled account authentication to Exchange Online exclusively via something called an Active Profile. The Active Profile defines ActiveSync authentication techniques for non-browser or modern authentication-based clients.<\/p>\n

On-premises Microsoft Exchange servers are deployed on secure networks behind layers of firewalls and only accessible to email clients through ActiveSync Proxies. Administrators have significant granular access control via proxies, especially in allowing access to the Exchange servers only from the trusted IP addresses of the proxies. MobileIron\u2019s Sentry is an extra-powerful ActiveSync proxy for mobile devices because the Sentry allows or denies ActiveSync access to the Exchange server based on both device and application posture received from the policy engine on MobileIron Core or Cloud. With Sentry, only trusted mobile devices can access ActiveSync email; users attempting to access email from untrusted mobile devices are denied by the Sentry. Thousands of large enterprises protect their on-premises Exchange servers with Sentry today.<\/p>\n

Reference from Link2<\/strong><\/p>\n

In a Passive authentication scenario, the user signs in through a Web form displayed by the identity provider and the user is requested to log in. In Active authentication scenario, the user is authenticated using thick clients. As the thick client does not support redirection, Office 365 gets the credentials and validates the authentication with Access Manager by communicating directly with it.<\/p>\n

Reference Video from Link3<\/strong><\/p>\n