Hello,
We use ADFS within our organisation, and it is available via HTTP externally.
All of the applications we protect with ADFS are SP-initiated, so I want to disallow requests to ADFS other than SP-initiated SSOs. (e.g. https://adfs.mydomain.com/adfs/ls/IdpInitiatedSignOn.aspx should NOT be allowed. But, https://adfs.mydomain.com/adfs/ls/IdpInitiatedSignOn.aspx?logintoRP={SP} should be allowed).
So far, the two RegEx I think should be allowed are:
[\&|\?]logintoRP\=\?wa\=([^\&]+)\&wtrealm\=([^\&]+)\&wctx\=([^\&]+)(\&wct\=([^\&]+))
I’m having difficulties with getting HAProxy to recognise the regex and apply them correct. i.e. HAProxy keeps rejecting everything, even where there should be matches.
I have two questions:
- How do I define an ACL that accepts these RegEx patterns?
- Am I going down a rabbit hole here, and should abandon these rules?
My idea for blocking anything other than the SP-initiated logins is to prevent bad actors from going to https://adfs.mydomain.com/adfs/ls/IdpInitiatedSignOn.aspx and guessing passwords all day. I want bad actors to at least need to first know at least one of our SPs, to then be redirected to ADFS.