locked
ADFS 2016 - Token Binding RRS feed

  • Question

  • Hi,

    According to this tweet, ADFS is already using Token Binding on the SSO cookie. When I look at the traffic it does not look like that. I have IgnoreTokenBinding set to False. Is there anything more I need to configure? How can I see that Token Binding is being used? If I got it right you should see Sec-Token-Binding in the http header?

    https://twitter.com/MrADFS/status/1034462511041372165

    Kind regards,
    Andreas


    AN

    Wednesday, April 24, 2019 9:30 AM

Answers

  • It will issue the claim tokenbindingid1.0 in your token.

    It will look like this in a SAML1 token:

    <saml:Attribute AttributeName="tokenbindingid1.0" AttributeNamespace="http://schemas.microsoft.com/2015/12/devicecontext/claims" a:OriginalIssuer="CLIENT CONTEXT" xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
    	<saml:AttributeValue>Db0Z6ZCIMqGNEWodvpKjLTfHHAYev2ffy0hYsYVqIo0</saml:AttributeValue>
    </saml:Attribute>

    In a SAML2 token:

    <Attribute Name="http://schemas.microsoft.com/2015/12/devicecontext/claims/tokenbindingid1.0" a:OriginalIssuer="CLIENT CONTEXT" xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
    	<AttributeValue>Db0Z6ZCIMqGNEWodvpKjLTfHHAYev2ffy0hYsYVqIo0</AttributeValue>
    </Attribute>

    In a OAuth JSON token:

    "cnf":"{
      \"tbh\":\"Db0Z6ZCIMqGNEWodvpKjLTfHHAYev2ffy0hYsYVqIo0\"
    }"


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.


    Monday, May 6, 2019 6:15 PM

All replies

  • The details are explained here: https://docs.microsoft.com/en-us/windows-server/security/token-binding/introducing-token-binding

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Tuesday, April 30, 2019 7:04 PM
  • Thanks!

    Although, I cannot find there how ADFS is making use of token binding?


    AN

    Thursday, May 2, 2019 2:36 PM
  • It is not an ADFS feature, it is an OS feature. ADFS is "using" it as long as the participating OS/user-agent are compatible. When possible, it is leveraged. And this is sometimes an issue. If all conditions are met but the token info are not matching (bug, incompatibilities, incorrect implementations...) , then the access to the ADFS service will fail.

    So you can configure ADFS to ignore this and continue 

    Set-ADFSProperties -IgnoreTokenBinding:$true

    There is also a claim that gets added to the pipeline when it has been used, so technically, itcan be leveraged in claim rules.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, May 3, 2019 6:23 PM
  • Thanks! I have configured

    Set-ADFSProperties -IgnoreTokenBinding:$false

    If I got it right, it should then use token binding if I use Edge on a Windows 10 with latest updates? 

    Can I verify that token binding is being used in some way?


    AN



    Monday, May 6, 2019 11:15 AM
  • It will issue the claim tokenbindingid1.0 in your token.

    It will look like this in a SAML1 token:

    <saml:Attribute AttributeName="tokenbindingid1.0" AttributeNamespace="http://schemas.microsoft.com/2015/12/devicecontext/claims" a:OriginalIssuer="CLIENT CONTEXT" xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
    	<saml:AttributeValue>Db0Z6ZCIMqGNEWodvpKjLTfHHAYev2ffy0hYsYVqIo0</saml:AttributeValue>
    </saml:Attribute>

    In a SAML2 token:

    <Attribute Name="http://schemas.microsoft.com/2015/12/devicecontext/claims/tokenbindingid1.0" a:OriginalIssuer="CLIENT CONTEXT" xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
    	<AttributeValue>Db0Z6ZCIMqGNEWodvpKjLTfHHAYev2ffy0hYsYVqIo0</AttributeValue>
    </Attribute>

    In a OAuth JSON token:

    "cnf":"{
      \"tbh\":\"Db0Z6ZCIMqGNEWodvpKjLTfHHAYev2ffy0hYsYVqIo0\"
    }"


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.


    Monday, May 6, 2019 6:15 PM