So here is my dilemma or my somewhat up in the air question .
I have set my self with with a scenario in such that I've enabled SSO on Salesforce using ADFS certs, but currently all users have access to go through salesforce using SSO. I'd like to limit SSO to only three groups "user groups defined in AD" to be the only ones to be able to use SSO in salesforce.
I know i need to delegate access but not sure if i need to do this on the ADFS side or the salesforce end.... on ADFS the only thing i've done is create the certificate and brought them in salesforce and then taken the XML generated and bring that into ADFS.
Any help would be greatly appreciated it .
After Searching the web and this form i came to realise that there is a Delegated Authentication and i might need to install a Delegated Authentication WSDL not sure if this step is necessary for ADFS 3.0 .
Many people seem to point to using Delegated Authentication , but i'm wondering if there is any way to get the same functionality using claim tickets on the adfs server.
Thank You Again :)
You seem to describe something doable via AD FS authorization rules. Read https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/technical-reference/when-to-use-an-authorization-claim-rule
Essentially what you do is on the relying party for Salesforce in AD FS, you create authorization rules to permit/deny based on AD group membership. Therefore, if user is in group, AD FS issues token. if not, they get a deny which means no token that would allow access to Salesforce.
Also see https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/access-control-policies-in-ad-fs because based on your AD FS version you may be able to do this via an access control policy instead of issuance authorization rules.