With an Identity Provider (IdP), you can use the Token Authorization framework to verify theSIDs value before issuing a token. Alternatively, you can map theSIDs value to an attribute in the contract and let the Service Provider (SP) determine if the user meets the requirements to access the protected resource. For the purpose of protecting resources based on sign-on method, authentication mechanism assurance from Active Directory (AD) domain service adds an additional group membership to the user's security identifiers attribute SIDs when a user signs on using a certificate-based sign-on method, such as a smart-card sign-on For example, you can restrict access to sensitive resources to users who sign on by using their smart cards, which requires a physical reader that you place in a physically secured location.

The integrated Kerberos Adapter supports authentication mechanism assurance by including the SIDs attribute of the authenticated user in the adapter contract.

If your use case requires authentication mechanism assurance, you can add a criterion in the Token Authorization framework to verify that the SIDs attribute contains the security identifier (SID) value associated with the required login method. If the SIDs attribute does not contain the specified SID value, the request is denied.

Note:

The SIDs attribute contains multiple values. Use the multi-value contains condition or the multi-value contains (case insensitive) condition to verify whether the SIDs attribute contains a specific value. You can also configure more complex evaluations using OGNL expressions.

Alternatively, you can map the SIDs attribute into the contract and let the SP determine if the user meets the requirements to access the protected resource.

For more information about authentication mechanism assurance, see the Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide from Microsoft's documentation.