pramod1
asked on
REGEX FORMAT, ADFS
i need to enter IP's in regex format in my claim rule on my ADFS server
is there any way to do
is there any way to do
Guess I need to know more. Where are you trying to add IP addresses? In the Claim Issuance policy? IN the Relying party trust?
AD FS claims rules do not support CIDR notation, you have to "expand" the ranges. Here's an example:
More details here: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/access-control-policies-w2k12#regular-expressions
NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip", Value =~ "\b145\.61\.20\.100\b|\b15\.61\.201\.100\b|\b15\.61\.200\.23\b|\b15\.61\.201\.23\b|\b82\.10\.214\.122\b|\b83\.35\.64\.15\b|\b20\.241\.82\.181\b\b"])
More details here: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/access-control-policies-w2k12#regular-expressions
ASKER
i am trying to edit claim rules under issuance authorization rule- microsoft 365 identity platform
how do i convert the ip 10.x.x.x to regex format , i need to allow those ip's.
how do i convert the ip 10.x.x.x to regex format , i need to allow those ip's.
You want to match the entire 10.x.x.x subnet?
ASKER
i have 5 ip address which i need to allow under claim rule
ASKER
they are staring with 10.90.x.x
ASKER
i have existing rule which says block all external access to office 365 except active sync
ASKER
should i add under that or create new regex if so how should i add
ASKER
i need to just add 5 ip address,
ASKER
vishal
how do i add 10.90.x.x. i have 5 ip address to be added as allowed under claim rules
how do i add 10.90.x.x. i have 5 ip address to be added as allowed under claim rules
ASKER
10.20.10.1-255
10.20.20.1-255
10.20.30.1-255
what should be the regex format for allowing these ip in claim rule
10.20.20.1-255
10.20.30.1-255
what should be the regex format for allowing these ip in claim rule
ASKER
need to whitelist the ip
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I am sorry I read it so
10.80.113.27-30
it will be \b10\.80\.113\.27\b
b10\.80\.113\.28\b
b10\.80\.113\.29\b
do I sound correct?
10.80.113.27-30
it will be \b10\.80\.113\.27\b
b10\.80\.113\.28\b
b10\.80\.113\.29\b
do I sound correct?
ASKER
it is 10.20.10.1-255
10.20.20.1-255
10.20.30.1-255 and not till 25
so number should be increased
10.20.20.1-255
10.20.30.1-255 and not till 25
so number should be increased
ASKER
10.80.113.27-30
it will be \b10\.80\.113\.27\b
b10\.80\.113\.28\b
b10\.80\.113\.29\b
do I sound correct?
it will be \b10\.80\.113\.27\b
b10\.80\.113\.28\b
b10\.80\.113\.29\b
do I sound correct?
ASKER
as i matched on analytics site , it says syntex error
\b10\.20\.(10|20|30)\.([1- 9]|[1-9][0 -9]|1[0-9] [0-9]|2[0- 5][0-9])\b
ASKER
thanks jeff, need to convert below
10.80.113.27-30
any help would be highly appreciated
10.80.113.27-30
any help would be highly appreciated
that one is pretty easy
\b10\.80\.113\.(27|28|29|3 0)\b
But you may want to look at this article. It explains things a little better
https://blogs.technet.microsoft.com/askds/2012/06/26/an-adfs-claims-rules-adventure/
\b10\.80\.113\.(27|28|29|3
But you may want to look at this article. It explains things a little better
https://blogs.technet.microsoft.com/askds/2012/06/26/an-adfs-claims-rules-adventure/
ASKER
thanks a lot , looking at it
ASKER
just 1 question jeff
as we have
10.20.10.1-255
10.20.20.1-255
10.20.30.1-255
you wrote \b10\.20\.(10|20|30)\.([1- 9]|[1-9][0 -9]|1[0-9] [0-9]|2[0- 5][0-9])\b
regarding this -2[0-5][0-9])\b, didnt get it clearly?
as we have
10.20.10.1-255
10.20.20.1-255
10.20.30.1-255
you wrote \b10\.20\.(10|20|30)\.([1-
regarding this -2[0-5][0-9])\b, didnt get it clearly?
ASKER
sorry you wrote twice -[1-9]|[1-9][0-9]|1[0-9][0 -9] ?
1-9 = just that .1 - .9
[1-9][0-9] = .10 - .99
1[0-9][0-9] = .100 - .199
and before the 2[0-5][0-9] covers .200 to .259 but that is no big deal. Obviously 256 - 259 will never happen. Just did that so we wouldn't have a long string addressing each block of 10
The | are or symbols So it reads 1-9 or 10-99 or 100-199 or 200-259
[1-9][0-9] = .10 - .99
1[0-9][0-9] = .100 - .199
and before the 2[0-5][0-9] covers .200 to .259 but that is no big deal. Obviously 256 - 259 will never happen. Just did that so we wouldn't have a long string addressing each block of 10
The | are or symbols So it reads 1-9 or 10-99 or 100-199 or 200-259
ASKER
i meant you wrote twice you wrote twice -[1-9]|[1-9][0-9]|1[0-9][0 -9] ? sorry for the confusion
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thanks a lot, let me look
ASKER
what is the advantage of using IP in regex on ADFS server , is it just for office 365 connectivity?
ASKER
Above was my last question. thanks
I would assume it is to control who can access ADFS. I guess you control who can submit a claim but in my humble opinion, if you don't want external users using ADFS, I imagine you could do this with an Access Control Policy . So, to me, the only advantage is it helps you understand RegEx expressions a little more. Others may have found uses for this better than me and can explain it better but we don't go that draconian in our security. We have one RPT that has a custom access control policy but that is for Intranet users only
ASKER
Should I add in off hrs the up or in production hrs
ASKER
Will it affect anything if I add in office hrs
As I said, never worked with this level of blocking before but as a rule, best to default to after hours if you aren't sure. That way you can test without others yelling at you
ASKER
How should I validate if it is working correctly
ASKER
Once I add these ups in claim rule will it be effective right away
ASKER
Ips
I have no real clue as to what you are trying to accomplish. I have never tried to limit the IPs before using RegEx expressions. Before you make changes, you should be fully aware of what you are trying to do. Messing with the defaults in ADFS without knowing what they do should only happen in a test environment. I'm sorry. I can tell you how to write Regex but as far as putting it into production, I would never try it without having a test network setup and doing it there. You should reach out to Vasil about this. I think he is more up on this subject than me. I run 2 ADFS farms and have some customization but nothing this limiting.