Secure ADFS (disallow anything other than redirect)


We use ADFS within our organisation, and it is available via HTTP externally.

All of the applications we protect with ADFS are SP-initiated, so I want to disallow requests to ADFS other than SP-initiated SSOs. (e.g. should NOT be allowed. But,{SP} should be allowed).

So far, the two RegEx I think should be allowed are:

  1. [\&|\?]logintoRP\=
  2. \?wa\=([^\&]+)\&wtrealm\=([^\&]+)\&wctx\=([^\&]+)(\&wct\=([^\&]+))

I’m having difficulties with getting HAProxy to recognise the regex and apply them correct. i.e. HAProxy keeps rejecting everything, even where there should be matches.

I have two questions:

  1. How do I define an ACL that accepts these RegEx patterns?
  2. Am I going down a rabbit hole here, and should abandon these rules?

My idea for blocking anything other than the SP-initiated logins is to prevent bad actors from going to and guessing passwords all day. I want bad actors to at least need to first know at least one of our SPs, to then be redirected to ADFS.