ADFS 4 as a SAMLP SP and MFA

  • 72 Views
  • Last Post 4 weeks ago
kool posted this 19 September 2017

Scenario: configure ADFS to have a SAMLP IdP as a second claims trust provider (CTP). ADFS 3/4 allows setting a per-RP policy to bypass the home-realm-discovery page and go to a specific CTP. Does anyone know if there is a way to modify the SAML AuthnRequest issued to the CTP?

With ADFS 2.x we've modified the HRD page code to bypass the UI, sending all RPs to our Shibboleth IdP. This custom code also allows us to modify the request URL to require MFA for specific RPs. It is a bit of a fortuitous hack where we change the wauth parameter to specify TimeSyncToken. When ADFS receives the modified URI it translates the wauth TimeSyncToken into a SAMLP AuthnRequest AuthnContextClassRef of TimeSyncToken (actually, in both cases it is urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken).

I've not found a way to do this with ADFS 4. Has anyone discovered a way to make this per-RP AuthnRequest modification with ADFS 4?

Thanks,

Eric


Forum info: http://www.activedir.org
Problems unsubscribing? Email admin@xxxxxxxxxxxxxxxx

Order By: Standard | Newest | Votes
kool posted this 4 weeks ago

Thanks Joe! I’m going straight from v2 to v4 and haven’t played much with v3, so I don’t know if it supports this functionality.

 

The next step is updating my performance monitoring via the ADFS PerfMon counters. I also want to log interactive authentication by setting up an event log listener.

 

Cheers,

 

    Eric

 

show

joe posted this 4 weeks ago

That's nice work! Thanks for figuring this out and documenting it.
Is this an ADFS 4.0 only feature or does it also work with 3.0? I've not looked in that much detail.
Thanks again!
Joe K.


show

kool posted this 4 weeks ago

Closing the loop on this, there is a way to invoke a SAML CTP and require MFA. I've written a blog post to give a concrete example of how this is done.
http://blogs.uw.edu/kool/2017/10/23/adfs-4-0-shibboleth-and-mfa/

It baffles me as to why MS would design features into ADFS and then not document them although I suspect that ADFS is on the back burner along with the rest of the on-prem MS identity software. AD is dead, long live AD! The future (from a corporate perspective) is IdPaaS.

Eric

show

Close