ADFS forcing authentication every time a site is visited

  • 1.5K Views
  • Last Post 10 November 2014
BrianB posted this 10 November 2014

All:   I am using ADFS 2012 R2 and have a department that wants to use ADFS for an application that is currently using only  local accounts. I was able to get the system to use corporate accounts for authentication but the admin want to force authentication each time a user access the site. Currently, once the user has authenticated and leaves the site, they are immediately allowed back in the next time they access without having to provide credentials.

  Clearing cookies and restarting the browser does not change the behavior of allowing the user through to the site without authenticating. “Sign out” of the application does not have any effect either.

  How can ADFS force sign out of users when the leave the site or when they click the button to leave the site. I am told that ADFS handles the sign out portion as well as the sign-in portion.      Brian Britt Senior Systems Analyst Vanderbilt University Security Operations | VUIT Identity Operations Team | Central Directory Services Office: (615) 322-4676 Lync: (615) 875-9858   Description: Description: MCSE(rgb)_406    Description: Description: MCSA(rgb)_440_454  Description: Description: Description: MCTS(rgb)_1078  

Order By: Standard | Newest | Votes
joe posted this 10 November 2014

So, the main points are whether you just want this behavior for this RP or for all RPs. It would seem a shame to change something globally on the ADFS side if you really only want this for this one RP.
The changes I recommended in the thread would be for the WIF configuration for the RP itself (its web.config file). 
Logout isn't really useful if WIA is in use since the user will log back in automatically. In your case, I don't really even think you need to enforce logout on the RP itself although I suppose you could. The freshness paramete probably gets you the behavior you want in terms of being reprompted for credentials though regardless of login status to ADFS in general.
Joe K.


show

BrianB posted this 10 November 2014

Joe,

 

I also saw a setting in the adfsproperties called “PersistentSsoLifetimeMins” and “PersistentSsoCutoffTime”. It seems, though I cannot get a good document to

explain these setting that I could use these by reducing the datetime setting to force expiration and then re-auth with user input. Is my assumption correct? Although this is a global setting as well.



 

To be clear, as I understand what you are saying below, this is on the developer of the application’s side, correct? This is not something that is required for

me who runs the ADFS service to configure. I keep getting into arguments with the vendor who is stating that ADFS is supposed to control the logout method and that it is on me to configure. But based upon my research and the answers I have received here:

 

Adding the logout endpoint to the RP would only affect the forms based auth. IWA would still prompt only once and uses Kerb or NTLM and then let the user in without

further input.

I can configure a global auth policy to use only Forms based Auth.



-       

Or           -



The vendor can specify the auth metod in their web.config file.



 

Is that correct?

 

Brian

 

show

ZJORZ posted this 10 November 2014

>>> The SAML "password protected transport" identifier would be used hereurn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport Met vriendelijke groeten / Kind regards, Jorge de Almeida Pinto: JorgeDeAlmeidaPinto@xxxxxxxxxxxxxxxx(: +31 (0)6 26.26.62.80 Description: Description: Description: Description: Think Green 

show

joe posted this 10 November 2014

Yes, this would be in the web.config for the application. WIF allows you to change a bunch of the behaviors for the WS-Federation protocol although the documentation on this stuff is pretty sketchy. The main points here are:wauth allows the RP to specify a specifically required authentication method. This SHOULD override the use of WIA on the ADFS side but I'm uncertain. The normal behavior I've seen with both SAML and WS-Fed RPs in the past is that if a specific auth method is requested, ADFS will honor that. The SAML "password protected transport" identifier would be used here. I can look up the exact string.
wfresh allows the RP to specify how fresh the login has to be. If this threshold is low enough, the user will be prompted to authenticate rather than ADFS using the user's logon accelerator cookie that may have been issued previously.
In WIF for .NET 4.0, the full config for wsFederation looks like this:
<wsFederation signOutReply="http://signoutreply" signOutQueryString="def=uvw" signInQueryString="abc=xyz" persistentCookiesOnPassiveRedirects="true" passiveRedirectEnabled="true" requireHttps="true" resource="http://resource" requestPtr="http://requestPtr" request="http://request" reply="http://reply" realm="http://realm" policy="http://policy" issuer="i" homeRealm="http://homeRealm" freshness="45" authenticationType="wauth"/>
Note all the "extra" parameters in there that may be specified?
So, you might try setting authenticationType to "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" and setting freshness to "1" or something low like that. If those parameters are not specified, you can simply add them. See how that goes...
Joe K.


show

KenHooveroxfordcomputergroupcom posted this 10 November 2014

You can absolutely do this at the global level but I’m not finding a way to do it for individual RP’s. 



 

Personally, I think having per-RP AuthN options is a recipe for support confusion because the support desk person would need to get information

from the user about what web app they are trying to reach as well as their browser type before being able to provide assistance.

 

 

To configure your ADFS setup to use Forms only on a global basis in ADFSv3, just look at the “Authentication Policies” element on the left side

of the ADFS MMC. Click on the “Edit” link that’s highlighted and make sure that “Forms Authentication” is selected in both the upper and lower panels of the window that comes up.  Uncheck anything else that’s listed.  The change takes effect immediately, though

there may be some replication lag if you’re using a non-SQL ADFS farm.

 

In pre-2012R2 ADFS, this change is made by tweaking a web,config file.

                                                  





 

 



 

Ken Hoover

 

--



Ken Hoover | Senior Consultant | Oxford Computer Group NA



 

show

BrianB posted this 10 November 2014

Joe,

 

I don’t follow you. Would this be something I would set in a web.config file? I am toying with the idea to turn off WIA globally. Thoughts? I cannot see a way

to set the properties for indiv. RP’s?

 

Brian

 

show

joe posted this 10 November 2014

I haven't tried this and don't know the exact approach (or if this is easily possible with WIF) but I think if you specify both wauth and wfresh parameters on your login URL you can force forms auth (using password protected transport identifier) and new login with low wfresh value. Unfortunately I don't have time to try it right now to give you more specifics.
Joe K.


show

BrianB posted this 10 November 2014

Is there a way to do it just per relying party. I am  a little familiar with the set-adfs…. Commands.



 

Brian

 

 

show

KenHooveroxfordcomputergroupcom posted this 10 November 2014

Hi Brian-


If what you want is for all users to have the same (forms) logon experience, you can simply shut off windows integrated auth on the ADFS side so it always presents only the forms page.

 

The way to do this is different in ADFSv3 vs earlier versions but it’s a pretty easy change in both cases.

 

I personally recommend using only forms-based auth because making all users have the same logon experience regardless of browser makes support easier.

 

Cheers,



 

Ken Hoover

 

--



Ken Hoover | Senior Consultant | Oxford Computer Group NA



 

show

Tspring posted this 10 November 2014

I am rusty with this, and perhaps you already looked into it, but I believe the RP application needs to reply with the sign out information, forwarding the client

to the ADFS sign out page. I am thinking of WS-Fed scenarios specifically.

 

In the past when I’ve been involved in those concerns I started with getting a Fiddler trace of the sign out and looking closely at what happens to make the sign

out occur.

 

What I would expect is that the user has a “sign out” button (link) which redirects them back to your IdP STS/ADFS server. That link would contain the sign out

info needed and that would be how the client tells the ADFS server to sign this identity out of all RP sessions.

 

The link below, in Fig 17, talks about that from the point that the client has sent that sign out via some RP or other page (in other words, the Doctor was on

one of the RP STSs, like University Hospital Health Record Service, and selected sign out). This type of thing is a true Health Care scenario that I have seen before.

 

http://msdn.microsoft.com/en-us/library/bb498017.aspx



 

For reviewing the Fiddler you can look at this link:

http://social.technet.microsoft.com/wiki/contents/articles/1439.ad-fs-how-to-invoke-a-ws-federation-sign-out.aspx



 

Hope this helps.

 



Tim



 

show

BrianB posted this 10 November 2014

So, I would guess at this but, if I can force forms based auth, then I can force reauth each time? Now, how to figure out how to force forms based even on IE?

 

B.

 

show

ZJORZ posted this 10 November 2014

I would expect that checkbox to configure some authN rule in the property “AdditionalAuthenticationRules” of the RP trust as it also happens when configuring MFA Met vriendelijke groeten / Kind regards, Jorge de Almeida Pinto: JorgeDeAlmeidaPinto@xxxxxxxxxxxxxxxx(: +31 (0)6 26.26.62.80 Description: Description: Description: Description: Think Green 

show

ZJORZ posted this 10 November 2014

>>> What does the checkbox for Authentication policies > per relying party trust > edit authentication policy > “Users are required to provide credentials each time at sign in” do I have no idea. I never got it to work. I would expect that with that checked, and while using WIA on the intranet, it would still present forms logon screen. But no, that does not happen unfortunately With Forms you can reauth as much as you want With WIA it just happens automagically, unless DFA has been configured as secondary authN Met vriendelijke groeten / Kind regards, Jorge de Almeida Pinto*: JorgeDeAlmeidaPinto@xxxxxxxxxxxxxxxx(: +31 (0)6 26.26.62.80 Description: Description: Description: Description: Think Green 

show

BrianB posted this 10 November 2014

Also,

 

What does the checkbox for Authentication policies > per relying party trust > edit authentication policy > “Users are required to provide credentials each time

at sign in” do.

 

I obviously tried that one first and it did not change anything. Then I tried to add the signout endpoint to the endpoints of the RP and that also did not do

anything different. Users are still going straight in to the application without being prompted.



 

Brian

 

show

BrianB posted this 10 November 2014

Joe,

 

Yes, they are using WIA. I have briefly read about forcing forms based Auth. Can this be configured per-relying party and will that provide a means to force logout?

 I have seen some articles about adding the signout url endpoint to the relying party but that did not work in my case.




https://{DNSnameofRPSTS}/adfs/ls/?wa=wsignout1.0

 

Brian

 

 

 

show

joe posted this 10 November 2014

The first thing I'd want to do is look at the HTTP traffic and see how the users are actually logging in. Are they logging in with Windows Integrated authentication (/adfs/ls/wia? endpoint) or are they logging in with cookies?
If they are logging in with WIA, it will likely be difficult to force a login UI experience since WIA IS the login UI. 
Joe K.


show

BrianB posted this 10 November 2014

Please disregard the recall message. The request for assistance still remains.



 

Thank you,

 

Brian.

 

show

Close