{"id":276,"date":"2018-01-29T16:59:40","date_gmt":"2018-01-29T08:59:40","guid":{"rendered":"https:\/\/rol801.com\/wordpress\/?p=276"},"modified":"2018-01-29T17:45:36","modified_gmt":"2018-01-29T09:45:36","slug":"my-adfs-claims-rules-journey-part-2","status":"publish","type":"post","link":"https:\/\/rol801.com\/wordpress\/?p=276","title":{"rendered":"My ADFS Claims Rules Journey \u2013 Part 2"},"content":{"rendered":"

\"\"<\/p>\n

\u7e8c\u4e0a\u56de\uff5e<\/p>\n

\u5176\u5be6\u4fc2\u7db2\u4e0a\u8b1bADFS \u5605post \u5927\u591a\u4fc2\u63a5\u8fd1\u4e00\u5e74\u4ee5\u4e0a\u5605\u820aarticle\u30022017 \u5f8c\u534a\u5605\u65b0post\u63a5\u8fd1 \u201c0\u201d \u3002 \u4fc2\u7121\u982d\u7d6e\u4e0b\u53ea\u53ef\u4ee5\u7528\u820asample code \u53bb\u780cclaims rule \u53bb\u8a66\uff0c<\/p>\n

\u5931\u6557\u4f8b\u5b50\u5982\u4e0b<\/p>\n

Sample1<\/p>\n

NOT exists([Type == “http:\/\/schemas.microsoft.com\/2012\/01\/requestcontext\/claims\/x-ms-forwarded-client-ip”, Value =~ “\\bXXX\\.XXX\\.XXX\\.XXX\\b”])&&<\/p>\n

NOT exists([Type == “http:\/\/schemas.microsoft.com\/2012\/01\/requestcontext\/claims\/x-ms-client-application”, Value =~ “Microsoft.Exchange.ActiveSync|Microsoft.Exchange.AutoDiscover”])&&<\/p>\n

NOT exists([Type == “http:\/\/schemas.microsoft.com\/claims\/authnmethodsreferences”, Value == “http:\/\/schemas.microsoft.com\/claims\/multipleauthn”])<\/p>\n

=> issue(Type = “http:\/\/schemas.microsoft.com\/authorization\/claims\/deny”, Value = “DenyUsersWithClaim”);<\/p>\n

\u7b2c\u4e00\u500b\u8ad7\u5230\u5605\u505a\u6cd5\u4fc2\u7528\u6709\u5187\u884cMFA\uff0c\u57fa\u5982Legacy Client\u5605ActiveSync\u4fc2\u5514\u6703\u884cMFA\uff08\u4fc2Part1 AAR \u5df2\u7d93\u754c\u5b9a\uff09\u3002\u7406\u8ad6\u4e0a\u4fc2\u5571\uff0c\u4f46\u4fc2……\u6240\u6709\u4fc2Internal\u5605user\u4e00\u6a23\u5514\u9700\u8981MFA\uff0c\u7d50\u679c\u4fc2\u908a\u6210Internal client\u4ea6\u5514\u6703\u53bblogin\u5230\u4efb\u4f55Azure Services….<\/p>\n

\u4fc2\u8a66\u5462\u6bb5Claims Rule \u610f\u5916\u63a1\u96c6\u7372\u4fc2\uff0c\u5047\u82e5Client\u4fc2\u7528Modern Auth,\u5982\u679cClaim Rules \u6709\u7528
\n“exists([Type == “http:\/\/schemas.microsoft.com\/2012\/01\/requestcontext\/claims\/x-ms-proxy”])”<\/p>\n

\u4fc2\u6703\u8b8a\u6210 Always Permit<\/p>\n

Sample2<\/p>\n

Rule1
\nc:[Type == “http:\/\/schemas.microsoft.com\/2012\/01\/requestcontext\/claims\/x-ms-forwarded-client-ip”, Value =~ “IP address range”]
\n=> issue(Type = “http:\/\/custom\/allow”, Value = “true”);<\/p>\n

Rule2
\nexists([Type == “http:\/\/schemas.microsoft.com\/ws\/2008\/06\/identity\/claims\/groupsid”, Value =~ “S-1-5-xx”])
\n=> issue(Type = “http:\/\/custom\/allow”, Value = “true”);<\/p>\n

Rule3
\nexists([Type == “http:\/\/schemas.microsoft.com\/2012\/01\/requestcontext\/claims\/x-ms-client-application”, Value =~ “Microsoft.Exchange.ActiveSync”])
\n=> issue(Type = “http:\/\/custom\/deny”, Value = “true”);<\/p>\n

Rule4
\nexists([Type == “https:\/\/schemas.microsoft.com\/2012\/01\/requestcontext\/claims\/x-ms-client-user-agent”, value =~ “Outlook-iOS|Outlook-Android”])
\n=>issue(Type = “http:\/\/custom\/deny”, Value = “true”);<\/p>\n

Rule5
\nexists([Type == “http:\/\/schemas.microsoft.com\/2012\/01\/requestcontext\/claims\/x-ms-endpoint-absolute-path”, Value =~ “\/adfs\/ls|\/adfs\/oauth2”])
\n=>issue(Type = “http:\/\/custom\/deny”, Value = “true”);<\/p>\n

Rule6
\nc:[Type == “http:\/\/custom\/allow”, Value == “false”]
\n=> issue(Type = “http:\/\/schemas.microsoft.com\/authorization\/claims\/deny”, Value = “true”);<\/p>\n

Rule7
\nc:[Type == “http:\/\/custom\/allow”, Value == “true”]
\n=> issue(Type = “http:\/\/schemas.microsoft.com\/authorization\/claims\/permit”, Value = “true”);<\/p>\n

\u5462\u500b\u4fc2\u975e\u5e38\u6975\u7aef\u5605\u505a\u6cd5.\uff0c\u518d\u7121Default Permit All\u4fc2\u6700\u9802\uff0c\u7d14\u7cb9\u7528AD Group\u53bb\u505aControl\u3002 Rule 3,Rule5 \u90fd\u4fc2\u7121\u6548\u679c<\/p>\n

\uff0c\u518d\u7121Default Permit All\u4fc2\u6700\u9802\uff0c\u7d14\u7cb9\u7528AD Group\u53bb\u505aControl\u3002 Rule3 \u90fd\u4fc2\u5c0dModern Auth\u7121\u6548\u679c\uff0cRule5 \u4ea6\u7121\u6cd5\u8a66\u51fa\u9810\u671f\u5605results\u3002\u6700\u7d42\u5982\u679cUser\u4fc2Exception Group(AD Group)\uff0c\u5c31\u6703\u7528\u5f97\u5230\u3002<\/p>\n

\u552f\u4e00\u8a66\u5230\u4fc2Rule4\u53ef\u4ee5\u6210\u529fRestrict Outlook Mobile for Android\/iOS<\/p>\n\n\n\n\n\n\n
Characteristic<\/th>\nString for iOS<\/th>\nString for Android<\/th>\n<\/tr>\n
DeviceModel<\/td>\nOutlook for iOS and Android<\/td>\nOutlook for iOS and Android.<\/td>\n<\/tr>\n
DeviceType<\/td>\nOutlook<\/td>\nOutlook<\/td>\n<\/tr>\n
UserAgent<\/td>\nOutlook-iOS\/2.0<\/td>\nOutlook-Android\/2.0<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

\u4f46\u4fc2\u4ecd\u7136\u7121\u6cd5\u7c21\u55ae\u5730\u53eaRestrict iOS Native Mail \u53bbExchange Online<\/p>\n

Part3 Continue – \u6700\u5f8c\u5605\u505a\u6cd5<\/p>\n

Reference<\/p>\n

https:\/\/technet.microsoft.com\/en-us\/library\/mt465747(v=exchg.150).aspx<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

\u7e8c\u4e0a\u56de\uff5e \u5176\u5be6\u4fc2\u7db2\u4e0a\u8b1bADFS \u5605post \u5927\u591a\u4fc2\u63a5\u8fd1\u4e00\u5e74\u4ee5\u4e0a\u5605\u820aarticle\u30022017 \u5f8c\u534a\u5605\u65b0post\u63a5\u8fd1 \u201c0\u201d \u3002 \u4fc2\u7121\u982d\u7d6e\u4e0b\u53ea\u53ef\u4ee5\u7528\u820asample code \u53bb\u780cclaims rule \u53bb\u8a66\uff0c \u5931\u6557\u4f8b\u5b50\u5982\u4e0b Sample1 NOT exists([Type == “http:\/\/schemas.microsoft.com\/2012\/01\/requestcontext\/claims\/x-ms-forwarded-client-ip”, Value =~ “\\bXXX\\.XXX\\.XXX\\.XXX\\b”])&& NOT exists([Type == “http:\/\/schemas.microsoft.com\/2012\/01\/requestcontext\/claims\/x-ms-client-application”, Value =~ “Microsoft.Exchange.ActiveSync|Microsoft.Exchange.AutoDiscover”])&& NOT exists([Type == “http:\/\/schemas.microsoft.com\/claims\/authnmethodsreferences”, Value == “http:\/\/schemas.microsoft.com\/claims\/multipleauthn”]) => issue(Type = “http:\/\/schemas.microsoft.com\/authorization\/claims\/deny”, Value = “DenyUsersWithClaim”); \u7b2c\u4e00\u500b\u8ad7\u5230\u5605\u505a\u6cd5\u4fc2\u7528\u6709\u5187\u884cMFA\uff0c\u57fa\u5982Legacy Client\u5605ActiveSync\u4fc2\u5514\u6703\u884cMFA\uff08\u4fc2Part1 AAR \u5df2\u7d93\u754c\u5b9a\uff09\u3002\u7406\u8ad6\u4e0a\u4fc2\u5571\uff0c\u4f46\u4fc2……\u6240\u6709\u4fc2Internal\u5605user\u4e00\u6a23\u5514\u9700\u8981MFA\uff0c\u7d50\u679c\u4fc2\u908a\u6210Internal client\u4ea6\u5514\u6703\u53bblogin\u5230\u4efb\u4f55Azure Services…. \u4fc2\u8a66\u5462\u6bb5Claims Rule \u610f\u5916\u63a1\u96c6\u7372\u4fc2\uff0c\u5047\u82e5Client\u4fc2\u7528Modern Auth,\u5982\u679cClaim Rules \u6709\u7528 “exists([Type … Continue reading “My ADFS Claims Rules Journey \u2013 Part 2”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2},"jetpack_post_was_ever_published":false},"categories":[13,2,3],"tags":[],"class_list":["post-276","post","type-post","status-publish","format-standard","hentry","category-adfs","category-it","category-microsoft"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p71O8A-4s","jetpack-related-posts":[{"id":266,"url":"https:\/\/rol801.com\/wordpress\/?p=266","url_meta":{"origin":276,"position":0},"title":"My ADFS Claims Rules Journey – Part 1","author":"rol801","date":"January 11, 2018","format":false,"excerpt":"\u00a0 \u00a0 \u4fc2\u505aMDM\u5605\u904e\u7a0b\uff0c\u81ea\u5df1\u4e00\u5373\u907f\u514d\u5605\u4fc2\u5514\u597d\u7528Office365\u3002 \u9ede\u89e3\u5481\u8ad7\uff1f\u4fc2\u56e0\u70ba\u82e5\u7121\u8fa6\u6cd5\u597d\u597dRestrict \u8857\u5916Unauthorized Access\u7684\u8a71\u3002User\u53ef\u4ee5\u96a8\u4fbf\u52a0Email account\u6536Email\uff0c\u5481\u6574\u5957MDM\u76f8\u7b49\u660e\u5b58\u5be6\u4ea1\u3002 \u800c\u666e\u904d\u7528Mail\u591a\u5605\uff0c\u81ea\u5df1\u9996\u5148\u6703\u91dd\u5c0d\u9ede\u6a23\u5c01Exchange Online\uff0c\u4e0d\u8ad6\u4fc2Android\/iOS \u5605Native Client\uff0c\u751a\u81f3\u4fc2Outlook Mobile App\uff0c\u90fd\u4fc2\u8981\u5c01\u5605\u5c0d\u8c61\u3002 \u9996\u5148\u8981\u63d0\u5605\u4fc2\uff0c\u771f\u4fc2\u591a\u5f97iOS11\u4fc217\u5e74\u4e5d\u6708\u51fa\u5de6\uff0c\u5572\u82b1\u5de6\u5514\u5c0f\u6642\u9593\u505a\u843d\u5605Claims Rule \u5931\u6548\u3002 \u7c21\u55ae\u4ee5\u689d\u7247\u569f\u505aSample\uff0c\u540ciOS11\u4e4b\u524d\u5605\u5dee\u5225\u3002\u7576\u7528\u5664Sign-In\u4e4b\u5f8c\uff0c\u6703redirect \u53bb\u53e6\u4e00\u500bWebPage\u53bb\u7e7c\u7e8cAuthentication\u00a0\u3002\u5462\u7a2e\u5c31\u4fc2Passive Authentication \u8b1b\u5481\u591a\u505a\u54a9\uff1f\u5c31\u4fc2Passive Authentication(Modern Authentication)\u4ee4\u5230\u4ee5\u5f80\u505a\u843d\u5605Claim rules \u5ee2\u6b66\u529f\u3002 \u4ee5\u4e0b\u4fc2 \u4fc2iOS 11 \u524d\u7528\u7dca\u5605rules exists([Type == \"http:\/\/schemas.microsoft.com\/2012\/01\/requestcontext\/claims\/x-ms-proxy\"]) && exists([Type == \"http:\/\/schemas.microsoft.com\/2012\/01\/requestcontext\/claims\/x-ms-client-application\", Value =~ \"Microsoft.Exchange.ActiveSync\"]) && NOT exists([Type == \"http:\/\/schemas.microsoft.com\/ws\/2008\/06\/identity\/claims\/groupsid\", Value == \"S-1-5-21-xxxxxxx\"]) && NOT exists([Type ==\u2026","rel":"","context":"In "ADFS"","block_context":{"text":"ADFS","link":"https:\/\/rol801.com\/wordpress\/?cat=13"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/rol801.com\/wordpress\/wp-content\/uploads\/2015\/12\/adfs-logo.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/rol801.com\/wordpress\/wp-content\/uploads\/2015\/12\/adfs-logo.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/rol801.com\/wordpress\/wp-content\/uploads\/2015\/12\/adfs-logo.png?resize=525%2C300&ssl=1 1.5x"},"classes":[]},{"id":71,"url":"https:\/\/rol801.com\/wordpress\/?p=71","url_meta":{"origin":276,"position":1},"title":"ADFS 3.0 -> MFA Setup Configuration","author":"rol801","date":"January 6, 2016","format":false,"excerpt":"\u00a0 \u00a0 \u00a0 \u00a0 \u57fa\u65bc\u88abM\uff04 \u6311\u6a5f\u8a71\u73a9 ADFS \u8981\u7528 On-Premises MFA \u5148\u5920\u597d\u3002 \uff08\u5f80\u5f8c\u5c31\u4fc2\u554f M\uff04\u9ede\u89e3 Cloud MFA \u505a\u5514\u5230Intranet IP by pass MFA) \u7528\u6700\u7c21\u55ae\u5605\u65b9\u6cd5\u4fc2 MFA server \u5b89\u4fc2 ADFS \u540c\u4e00\u90e8\u5e7e\u3002 \u5b89\u88dd\u540c\u5927\u90e8\u5206configure \u4ee5\u4e0b\u9762URL\u70ba\u597d\uff0c \u6bd4Microsoft Official Article \u66f4\u65b9\u4fbf Reference https:\/\/4sysops.com\/archives\/azure-multi-factor-authentication-part-7-securing-ad-fs\/ \u4f46\u4fc2\uff0c\u8981\u63d0\u53ca MFA User Portal\u6703\u7121\u795e\u795e\u9ed0\u7dda login \u5514\u5230\uff0c \u751a\u81f3\u5f71\u97ff\u5230\u4e00\u822c\u7528\u5605ADFS \u721bpage\u3002\u4fc2\u5b89\u88dd\u9014\u4e2dReboot Server\u591a\u7684\u4e8b....... \u6700\u5f8c\u6700\u7d93\u5178\u5605\u4fc2Microsoft \u5605 article \u932f\u8aa4\u52c1\u591a\u3002 PowerShell Commmand \u81ea\u5df1\u780c\u4f46\u4fc2\u7528\u9ece\u5305Parameter\u2026","rel":"","context":"In "ADFS"","block_context":{"text":"ADFS","link":"https:\/\/rol801.com\/wordpress\/?cat=13"},"img":{"alt_text":"mfa_thumb","src":"https:\/\/i0.wp.com\/rol801.com\/wordpress\/wp-content\/uploads\/2016\/01\/mfa_thumb-300x179.png?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]},{"id":58,"url":"https:\/\/rol801.com\/wordpress\/?p=58","url_meta":{"origin":276,"position":2},"title":"Exchange 2013 OWA\/ECP < - > ADFS Authentication","author":"rol801","date":"December 15, 2015","format":false,"excerpt":"\u5462\u500bTopic\uff0c\u81ea\u5df1\u7d55\u5c0d\u6703\u8a55\u5b9a\u70ba\u4eca\u5e74\u505a\u904e\uff0c\u7e7c\u591a\u5e74\u524dSharePoint 2010\u5f8c\uff0c\u6700\u96e3\uff0c\u6700\u597d\u73a9\u5605\u4e00\u6a23\u3002 \u57fa\u5982ADFS 3.0\u5df2\u6709\uff0c\u62cdMicrosoft O365\/Azure \u5605SSO \u4ea6\u4fc2\u5169\u65e5\u5167\u8d77\u8eab\u3002\u8ad7\u5514\u51fa\u6709\u5572\u54a9\u7406\u7531\u5514\u53bb\u505a\u57cb\u4f62 \u00a0 \u6574\u500bsetup\u9032\u884c\u5de6\u4e09\u65e5.\u7576\u4e2d\u8981\u63d0\u6700\u96e3,\u4fc2\u4e00\u8def\u5931\u6557\u7576\u4e2dresearch \/ adjustment. \u800c\u4ee4\u5230\u5481\u9577\u6642\u9593\u5605\u539f\u56e0\u4fc2\u4ee5\u4e0b...... 1. Exchange Server 2013\uff1a\u907f\u514d\u554f\u984c\uff08\u4ea6\u767c\u73fe\u592a\u8010\u7121\u66f4\u65b0\uff0c\u7531SP1 upgrade \u53bb CU10\uff09 2. ADFS Server Signing Token Certificate : \u7d55\u5c0d\u4fc2\u4e00\u500b\u610f\u5916\u6536\u7a6b\u5605\u505a\u6cd5\u3002 \u540c\u6642\u4ea6\u8b49\u660e\u53ea\u9700\u8981Update Azure AD \u4e00\u6b21\u5c31\u5f97\uff0c\u5514\u6703\u5f71\u97ff\u820a\u6709 Federation Trust \"Update-MSOLFederatedDomain \u2013DomainName\" https:\/\/azure.microsoft.com\/en-us\/documentation\/articles\/active-directory-aadconnect-o365-certs\/ http:\/\/hazelnest.com\/blog\/blog\/2015\/07\/05\/exchange-2013-using-adfs-to-authenticate\/ http:\/\/nikpatel.net\/2014\/12\/22\/renew-expired-adfs-token-certificates-for-adfs-2-0-and-sharepoint-2013-on-premises\/ 3. Exchange Server Internal\/External Url \uff1a Reference URL \u7121\u4e00\u500b\u4fc2\u7528 .local Domain......\u800c\u4fc2Exchange configure\u2026","rel":"","context":"In "ADFS"","block_context":{"text":"ADFS","link":"https:\/\/rol801.com\/wordpress\/?cat=13"},"img":{"alt_text":"adfs-logo","src":"https:\/\/i0.wp.com\/rol801.com\/wordpress\/wp-content\/uploads\/2015\/12\/adfs-logo-300x39.png?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]},{"id":293,"url":"https:\/\/rol801.com\/wordpress\/?p=293","url_meta":{"origin":276,"position":3},"title":"My ADFS Claims Rules Journey \u2013 Part 3 – Final","author":"rol801","date":"February 28, 2018","format":false,"excerpt":"\u00a0 \u00a0 \u7d42\u65bc\u6709\u6642\u9593\u5fc3\u60c5\u5beb\u57cb\u6700\u5f8c\u5462Part\u3002 \u7e7cPart 2\u3002 \u7d93\u904e\u4e0d\u65b7Try on Error\u8a66Claims Rules\u4e4b\u5f8c\u3002 \u5ee0\u5605\u4ee5\u4e0b\u5462\u500bArticle\u53e6\u6211\u653e\u68c4Claims Rules\u53bb\u505aRestriction\u5605\u8ad7\u6cd5\u3002\u5c0d\u65bcActiveSync\u569f\u8b1b\uff0c\u4f3c\u4e4e\u7528Modern Auth\u4fc2\u524b\u6b7bClaim Rule\u3002 \u4ee5\u4e0b \u5e7e\u985e\u578b\u5605\u505a\u6cd5\u53ef\u4ee5\u53d6\u66ffUnauthorize ActiveSync device access \u7b2c\u4e00\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u7528MDM Vendor\u5605Identity Management Software - \u76f8\u5c0d\u96e3\u5ea6\u4fc2\u6700\u9ad8\uff0c\u56e0\u70ba\u591a\u7528SAML\uff0c \u9700\u8981\u6709Deploy SAML\u5605\u7d93\u9a57\u3002\u800cInfrasture\u5165\u9762\u5605\u914d\u7f6e\u5df2\u7d93\u5514\u4fc2\u666e\u901aCompany\u6703\u6295\u8cc7 \u7b2c\u4e8c\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 Deploy Certificate Authentication\u3002\u96e3\u5ea6\u540c\u7b2c\u4e00\u7a2e\u505a\u6cd5\u4e0d\u9051\u591a\u8b93\u3002\u9700\u8981Deploy\/ Maintain Internal CA \/ NDES \/PKI infrastructure\u540c\u6a23\u5514\u5bb9\u6613 \u7b2c\u4e09\u00a0 \u00a0\u2026","rel":"","context":"In "ADFS"","block_context":{"text":"ADFS","link":"https:\/\/rol801.com\/wordpress\/?cat=13"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/rol801.com\/wordpress\/wp-content\/uploads\/2015\/12\/adfs-logo.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/rol801.com\/wordpress\/wp-content\/uploads\/2015\/12\/adfs-logo.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/rol801.com\/wordpress\/wp-content\/uploads\/2015\/12\/adfs-logo.png?resize=525%2C300&ssl=1 1.5x"},"classes":[]},{"id":134,"url":"https:\/\/rol801.com\/wordpress\/?p=134","url_meta":{"origin":276,"position":4},"title":"\u521d\u8a66SAML\u5927\u96c6\u6703 ….. 1.OKTA 2.Sales Force 3.ADFS","author":"rol801","date":"October 15, 2016","format":false,"excerpt":"\u00a0 \u7d55\u5c0d\u4fc2\u65b0\u6311\u6230 !!!!! SAML\u00a0\u00a0\u00a0\u00a0\u00a0 \u4e00\u76f4\u4fc2\u4ee5\u5f80\u5514\u591a\u6562\u53bb\u6382\u5605\u91ce\u3002\u76f8\u6bd4Kerberos\uff0cSAML\u6709\u81ea\u5df1\u89ba\u5f97\u597d\u96e3\u7747\u5605XML (Recursive xml\uff09\u3002\u8ad7\u8d77\u90fd\u6015\u6015\u3002\u6015\u6015\u3002 \u57fa\u5982\u569f\u7dca\u597d\u9ad8\u6a5f\u6703\u8981\u7528\u540c\u81ea\u5df1\u5605\u672a\u96e8\u7da2\u7e46\uff0c\u6c7a\u5b9a\u653e\u624b\u7747\u7747\u4f62...... \u7b2c\u4e00\u4fc2\u6435\u7528\u5605IdP\uff08Identity Provider) \u540cSP(Service Provider) \u96d6\u7136\u5df2\u7d93\u6709ADFS\u4fc2\u5230\u53ef\u7528\uff0c \u4f46\u4fc2ADFS\u5514\u4fc2\u5462\u500b\u4eca\u6b21Buildup\u6700\u521d\u6703\u7528\u5605\u3002 SalesForce\u5df2\u77e5\u5605\u4fc2\u5927\u8def\u5605Service Provider\u3002\u3002 Production \u8981\u9322\u7121\u53ef\u80fd\u3002\u4f46\u4fc2Developer Edition\u4fc2\u5169\u500bUser\u514d\u8cbb \uff0c\u672a\u6435\u5230\u6709\u7121Support\u3002 \u8d85\u5b64\u5bd2\u3002\u3002\u3002\u3002 \u5df2IdP\u4fc2\u6435\u5605\u7576\u4e2d\u7747\u5230OKTA\u3002\u3002 \u4f62\u5c0d\u6bd4\u597d\u5572\u3002 \u4e09\u500bApp\uff0c\u4e00\u767e\u500bUser\u4fc2\u6c38\u4e45\u514d\u8cbb\uff0c\u4ea6\u6709Support\u3002 \u597d\u5572 \u597d\u3002\u3002\u3002 \u6e96\u5099\u5b8c\u6210\u3002\u3002 \u958b\u5de5 \u5927\u81f3\u4e0a\u5605Concept AD \u4fc2Identity\u00a0 Source\uff0c \u6700\u521d\u4ee4\u81ea\u5df1\u4e82\u5605\u4fc2\u9ede\u958bOKTA\u5605UserID. \u56e0\u70ba\u4fc2\u672a\u5b89OKTA Agent\u540cAD link\u57cb\u4e4b\u524d\u3002 OKTA \u81ea\u5df1\u5605user account\u90fd\u4fc2\u7528\u540c\u4e00\u500bdomain suffix. Password \u4e00\u6a23\u6703\u96e3\u53bb\u78ba\u5b9a\u3002 \u4f46\u4fc2\u767c\u73fe\u7576\u5b89\u5b8cOKTA Agent match \u597duser\u4e4b\u5f8c\u3002 \u4fc2\u5f97\u8fd4AD password. \u5373\u4fc2\u5514\u9700\u8981\u6435account \u505alocal\u2026","rel":"","context":"In "ADFS"","block_context":{"text":"ADFS","link":"https:\/\/rol801.com\/wordpress\/?cat=13"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/rol801.com\/wordpress\/wp-content\/uploads\/2016\/10\/ADFSSalesforceConfig.jpg?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/rol801.com\/wordpress\/wp-content\/uploads\/2016\/10\/ADFSSalesforceConfig.jpg?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/rol801.com\/wordpress\/wp-content\/uploads\/2016\/10\/ADFSSalesforceConfig.jpg?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/rol801.com\/wordpress\/wp-content\/uploads\/2016\/10\/ADFSSalesforceConfig.jpg?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/rol801.com\/wordpress\/wp-content\/uploads\/2016\/10\/ADFSSalesforceConfig.jpg?resize=1050%2C600&ssl=1 3x"},"classes":[]},{"id":99,"url":"https:\/\/rol801.com\/wordpress\/?p=99","url_meta":{"origin":276,"position":5},"title":"Microsoft EMS Intune – WP8.1 \/ Windows 10 PC – ADFS \/ MFA Registration \u5947\u602a\u6253loop\u4e8b\u4ef6","author":"rol801","date":"April 26, 2016","format":false,"excerpt":"\u00a0 \u5462\u500b\u7d55\u5c0d\u4fc2\u8981\u8a71\u6bd4M\uff04 \u73a9\u8d77\u5605\u4e00\u6a23\u91ce\u3002 \u5230\u5462\u5bb6\u4f30\u8a08\u4e09\u500b\u6708\uff0c\u7121\u4eba\u8a71\u5230\u7540\u6211\u77e5\u9053\u6709\u54a9\u76f8\u95dc\u3002 \u4ee5\u81ea\u5df1\u6240\u4ee5\u4e86\u89e3\u4fc2\u3002 Azure Cloud MFA \u540c On-Premises MFA Server \u4e26\u5514\u6703\u5171\u5b58\u3002\u4f46\u4fc2Intune Portal \u5605 MFA option \u53ea\u7747Cloud MFA\u3002 \u6240\u4ee5\u51fa\u4e8b\u3002\u3002\u3002 \u800c\u5462\u500boption.. \u53ea\u5c0dWP\uff0f Windows PC \u6709\u53cd\u61c9\u3002\u3002\u3002 \u53ef\u60e1 M\uff04\u3002\u3002\u3002 \u5982\u679c\u6709\u7528ADFS\uff0c \u6709 set MFA\u3002 \u4e0b\u9762\u500bcheckbox\u4e00\u5b9a\u5514\u53ef\u4ee5tick!@#$%^&*()_ \u00a0 PS. 04\/May\/2016 \u9072\u4f86\u7684\u7b54\u6848\u3002 \u7d42\u65bc\u6435\u5230\u4f60... https:\/\/www.petervanderwoude.nl\/post\/how-to-configure-multi-factor-authentication-in-microsoft-intune-part-2-the-single-sign-on-method\/ \"Note: It\u2019s important to not configure any additional multi-factor authentication settings. Not\u2026","rel":"","context":"In "IT"","block_context":{"text":"IT","link":"https:\/\/rol801.com\/wordpress\/?cat=2"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/rol801.com\/wordpress\/wp-content\/uploads\/2016\/04\/Intune_Cloud_MFA.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/rol801.com\/wordpress\/wp-content\/uploads\/2016\/04\/Intune_Cloud_MFA.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/rol801.com\/wordpress\/wp-content\/uploads\/2016\/04\/Intune_Cloud_MFA.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/rol801.com\/wordpress\/wp-content\/uploads\/2016\/04\/Intune_Cloud_MFA.png?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/rol801.com\/wordpress\/wp-content\/uploads\/2016\/04\/Intune_Cloud_MFA.png?resize=1050%2C600&ssl=1 3x"},"classes":[]}],"_links":{"self":[{"href":"https:\/\/rol801.com\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/276","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rol801.com\/wordpress\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rol801.com\/wordpress\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rol801.com\/wordpress\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/rol801.com\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=276"}],"version-history":[{"count":3,"href":"https:\/\/rol801.com\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/276\/revisions"}],"predecessor-version":[{"id":279,"href":"https:\/\/rol801.com\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/276\/revisions\/279"}],"wp:attachment":[{"href":"https:\/\/rol801.com\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=276"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rol801.com\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=276"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rol801.com\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=276"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}