ADFS 2016 - Token Binding

All replies

• 

  

  0

  Sign in to vote

  The details are explained here: https://docs.microsoft.com/en-us/windows-server/security/token-binding/introducing-token-binding

  ---

  Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

  Tuesday, April 30, 2019 7:04 PM
• 

  

  0

  Sign in to vote

  Thanks!

  Although, I cannot find there how ADFS is making use of token binding?

  ---

  AN

  Thursday, May 2, 2019 2:36 PM
• 

  

  0

  Sign in to vote

  It is not an ADFS feature, it is an OS feature. ADFS is "using" it as long as the participating OS/user-agent are compatible. When possible, it is leveraged. And this is sometimes an issue. If all conditions are met but the token info are not matching (bug, incompatibilities, incorrect implementations...) , then the access to the ADFS service will fail.

  So you can configure ADFS to ignore this and continue 

  Set-ADFSProperties -IgnoreTokenBinding:$true

  There is also a claim that gets added to the pipeline when it has been used, so technically, itcan be leveraged in claim rules.

  ---

  Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

  Friday, May 3, 2019 6:23 PM
• 

  

  0

  Sign in to vote

  Thanks! I have configured

  Set-ADFSProperties -IgnoreTokenBinding:$false

  If I got it right, it should then use token binding if I use Edge on a Windows 10 with latest updates? 

  Can I verify that token binding is being used in some way?

  ---

  AN

  
  
  

  • Edited by Andreas Norström Monday, May 6, 2019 11:16 AM

  Monday, May 6, 2019 11:15 AM
• 

  

  0

  Sign in to vote

  It will issue the claim tokenbindingid1.0 in your token.

  It will look like this in a SAML1 token:

  <saml:Attribute AttributeName="tokenbindingid1.0" AttributeNamespace="http://schemas.microsoft.com/2015/12/devicecontext/claims" a:OriginalIssuer="CLIENT CONTEXT" xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
  	<saml:AttributeValue>Db0Z6ZCIMqGNEWodvpKjLTfHHAYev2ffy0hYsYVqIo0</saml:AttributeValue>
  </saml:Attribute>

  In a SAML2 token:

  <Attribute Name="http://schemas.microsoft.com/2015/12/devicecontext/claims/tokenbindingid1.0" a:OriginalIssuer="CLIENT CONTEXT" xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
  	<AttributeValue>Db0Z6ZCIMqGNEWodvpKjLTfHHAYev2ffy0hYsYVqIo0</AttributeValue>
  </Attribute>

  In a OAuth JSON token:

  "cnf":"{
    \"tbh\":\"Db0Z6ZCIMqGNEWodvpKjLTfHHAYev2ffy0hYsYVqIo0\"
  }"

  
  

  ---

  Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

  
  

  • Edited by Pierre Audonnet [MSFT]Microsoft employee Monday, May 6, 2019 6:32 PM phrasing
  • Proposed as answer by MolokoVelocette Tuesday, May 7, 2019 8:07 PM
  • Marked as answer by Hamid Sadeghpour SalehMVP Thursday, September 5, 2019 8:00 AM

  Monday, May 6, 2019 6:15 PM