Access Control Policies in AD FS for Windows Server Technical Preview

With the next version of Windows Server, presumably called Windows Server 2016, we’ll be getting a new version of AD FS. I would love to call this new version AD FS 4.0, but Microsoft has not confirmed that name yet. Whatever it ends up being called, the next version of AD FS is going to contain some significant improvements. In this post I want to look at one of those improvements, Access Control Policies.

The Definitions

The first hurdle in understanding AD FS is the terms. As I started to write this post, I realized that I was using a bunch of terms that I needed to define. Originally I did not intend such a long list of definitions, but as I got started I kept finding more terms that needed to be defined. Feel free to skip over this part and just refer back to it as needed.

Relaying party – A federation service or application that consumes claims in a particular transaction. Claims that originate from a claims provider can be presented and consumed by the relying party.

Secure Token Service – a service which authenticates the relaying party and issues a security token granting access, instead of the application authenticating the relaying party directly. AD FS is a STS.

Claims provider – a federation service responsible for collecting and authenticating a user, building up claims for that user, and packaging the claims into security tokens that the relying party uses to make authorization decisions.

Federation Servers – A computer that runs a specialized web service to issue, manage, and validate requests from security tokens and identity management. A federation server can protect the contents of security tokens in transit with an X.509 certificate making it possible to validate trusted issuers.

Security tokens – A collection of identity claims, such as a user’s name or role.

Relaying party trust – A trust configured in AD FS between the relaying party and AD FS.

Claims provider trust – A trust configured in AD FS between the claims provider and AD FS.

Claim – A statement an entity makes about itself in order to establish access.

Claims rules – A set of instructions used to determine how claims are processed in a variety of scenarios.

Attribute stores – A pluggable module that the policy process for AD FS can query to retrieve claim values.

Federation metadata – Data that describes a relaying party or a claims provider and allows for easy creation of the corresponding trust.

Federation metadata document – An XML document that conforms to the WS-Federation 1.2 schema. This data may be imported from a file or made available via https.


Access Control Policy Templates

To understand Access Control Policies, you need to start with Access Control Policy Templates. An ACP Template is a group of ACP settings that can be applied to a relying party (RP). If updates are made to an ACP template, those updates will be applied to the RP automatically.

AD FS 3.0 policy processing is done in three phases; authentication, authorization, and claims issuance. In AD FS 3.0 and earlier, policies for each of these phases must be configured separately. In addition to creating three separate policies for access control, administrators have to understand the claims rule language in order to apply access controls like blocking users from logging into Office 365 from home.

ACP templates replace this old model with a new GUI configuration interface that is much easier to use. The old model will still exist in this new version of AD FS, but administrators will not have to use it but instead will be able to use this new simplified model.

In this new ACP model, all access is default denied unless a matching ACP template is found to grant a user access in their specific circumstances.

Built-in ACP templates

 After installing this new version of AD FS, you’ll see several default ACP templates in place in the AD FS management console. These built-in templates should cover many of the use cases for most deployments of AD FS. Below are the ACP templates included in Windows Server Technical Preview 2.

These ACP templates cannot be modified.

Of course new ACP templates can be added and modified. Modification to customer ACP templates will affect any RPs which the custom policies are controlling.

To create a new ACP template, select Add Access Control Policy from the action menu on the right hand side of the AD FS management console.

Give your new ACP template a name and a description that others will understand later. Select Add at the bottom to define conditions under which a user will be granted access.

The administrator can select multiple conditions from the Permit section and they will have an AND relationship. This means that a user must meet the requirements of all the permit rules to be granted access. For example, users will be required to be from a specific network AND from specific groups if the first two boxes are checked.

Selecting the highlighted condition link makes it apparent why these are ACP templates. The Select Groups dialog allows us to either define a specific group to which this ACP template will apply or we can allow this parameter to be defined when the template is assigned.

If multiple exceptions are selected, they have an OR relationship meaning if a user meets the requirements of any one of the exceptions they will be granted access.

If an ACP template is parametrized, it cannot be modified after it has been created. The parameters in a parameterized template must be defined when the ACP template is assigned to a RP trust. Non-parametrized templates can be assigned without any further input and they can be modified after they are assigned to a RP trust.

Assigning an ACP template to an application

ACP templates can be assigned to a relaying party (RP) trust from the Relaying Party Trusts section of the AD FS management console by selecting Edit Access Control Policy from the action menu on the right.

In the screenshot below, you can see I have selected to apply a parametrized ACP template to the VPN Server RP trust. Before this template can be assigned, I need to specific a group for access as seen in the next screenshot.

ACP templates can also be assigned to new applications as part of the RP trust setup wizard.