locked
Authentication type RRS feed

  • Question

  • Hello All,

    if we enabled form based authentication in our ADFS 3.0 for intranet authentication.

    which one will be applied first , WIA or Form based?

    I want Form based to be secondary and WIA should always be first.

    Please advise


    NA

    Thursday, April 11, 2019 12:15 PM

Answers

  • Hello WIA will be applied for internal/intranet access and form based will be applied from external/internet access. 

    Isaac Oben MCITP:EA, MCSE,MCC <a href="https://www.mcpvirtualbusinesscard.com/VBCServer/4a046848-4b33-4a28-b254-e5b01e29693e/interactivecard"> View my MCP Certifications</a>

    Tuesday, April 16, 2019 5:21 AM
  • As long as the RP does not specify FBA explicity in its redirect, the user will have to do WIA internally.

    If the browser is not supported for WIA, it will fall back to FBA but then you can configure the list os supported browser: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-intranet-forms-based-authentication-for-devices-that-do-not-support-wia


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Thursday, April 18, 2019 9:51 PM

All replies

  • Hello WIA will be applied for internal/intranet access and form based will be applied from external/internet access. 

    Isaac Oben MCITP:EA, MCSE,MCC <a href="https://www.mcpvirtualbusinesscard.com/VBCServer/4a046848-4b33-4a28-b254-e5b01e29693e/interactivecard"> View my MCP Certifications</a>

    Tuesday, April 16, 2019 5:21 AM
  • As long as the RP does not specify FBA explicity in its redirect, the user will have to do WIA internally.

    If the browser is not supported for WIA, it will fall back to FBA but then you can configure the list os supported browser: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-intranet-forms-based-authentication-for-devices-that-do-not-support-wia


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Thursday, April 18, 2019 9:51 PM
  • Hi Pie,

         we have an application which connect adfs for intranet based. Always it throws the WIA. our expectation is form based authentication. In global setting both WIA and FBA are checked and WS-federation mode.

    in your post

    As long as the RP does not specify FBA explicitly in its redirect, the user will have to do WIA internally

    it means is there any configuration can be achieved for a relying party which should always work on FBA.

    or in application level when we call the ADFS url do we need send any parameter telling adfs to show FBA screen instead of WIA mode.

    Need you support and help if you can share any link to set the FBA particularly for a relying party or in coding level how to tell the ADFS to open the FBA login always 

    Thursday, April 25, 2019 6:33 AM
  • Hello

    Below is just an extract of what the Relying Party (application) should include in the RST (Request for Security Token) to ADFS:

    WS-Federation

    authenticationType="urn:oasis:names:tc:SAML:1.0:am:password"

    SAML 2.0 Protocol

    <saml:AuthnContextClassRef
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>

    Thursday, April 25, 2019 11:05 AM
  • Hi Moloko Velocette,

    Thanks, How and where they will add this can you please show in the screen shot, since we are app developers

    if you help is screen shot will be helpful to update that in ADFS configuration. one more thing in ADFS they have enable WS-federation

    Thursday, April 25, 2019 11:53 AM
  • Hello Isaac,

    WIA will be applied for internal/internet, however both (Form & WIA) are enabled for internal/intranet.

    which will be applied first?

    Regards

    Aamir Masthan


    NA

    Monday, April 29, 2019 2:21 PM
  • Hello Isaac,

    What if both WIA & form based are enable in intranet, which one will be applied first and which one will be fallback


    NA

    Thursday, May 16, 2019 12:38 PM
  • If they are using IIS then this is a setting in web.config in the <wsFederation> tag.

    https://docs.microsoft.com/en-us/dotnet/framework/configure-apps/file-schema/windows-identity-foundation/wsfederation

    Thursday, May 16, 2019 6:31 PM