ADFS 2.0 - How to block access to my RP for a specific issuer

Question

I currently have two relying parties (RP) configured on my adfs 2.0 server. I also have two claims provider trusts. I simply want to restrict access to the first RP if the user belongs to claims provider 1.

Is there a claim rule I can put that would let me inspect the user's issuer and then grant access or not?

I'm also wondering if this behavior is even acceptable in a SSO infrastructure. Should I deploy two instances of ADFS 2.0 in order to support this (one trusts claims provider 1 while the other doesn't).

Thanks for any ideas or design inputs.

Answer 1

I don't know if this is a good idea, but this should work:

Add a custom rule to the claims provider you want to deny with content like this:

 => issue(Type = "http://schemas.YOURDOMAINHERE/claims/AccessRP_X", Value = "Deny");

1. Then on the RP, edit claim rules, choose Issuance authorization rules, Add Rule.
2. In the dialog, use template "Permit or Deny Users based on an Incoming Claim".
3. For incoming claim type, use the same type as in the custom rule.
4. In incoming claim value, write Deny
5. And Choose the radio button "Deny access to users with this incoming claim".
6. Press finish

Hope this works for you.