Scenario: configure ADFS to have a SAMLP IdP as a second claims trust provider (CTP). ADFS 3/4 allows setting a per-RP policy to bypass the home-realm-discovery page and go to a specific CTP. Does anyone know if there is a way to modify the SAML AuthnRequest issued to the CTP?

With ADFS 2.x we've modified the HRD page code to bypass the UI, sending all RPs to our Shibboleth IdP. This custom code also allows us to modify the request URL to require MFA for specific RPs. It is a bit of a fortuitous hack where we change the wauth parameter to specify TimeSyncToken. When ADFS receives the modified URI it translates the wauth TimeSyncToken into a SAMLP AuthnRequest AuthnContextClassRef of TimeSyncToken (actually, in both cases it is urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken).

I've not found a way to do this with ADFS 4. Has anyone discovered a way to make this per-RP AuthnRequest modification with ADFS 4?

Thanks,

Eric


Forum info: http://www.activedir.org
Problems unsubscribing? Email admin@xxxxxxxxxxxxxxxx