locked
Certficate Authentication as Primary method in ADFS 2016 RRS feed

  • Question

  • I want to check is there a way to manage authentication method per relying party in ADFS 2016? We have a requirement wherein the users of a particular relying party want to use certificate authentication as the primary method.

    I see that in ADFS 2016 under Authentication Methods there is no longer option of Per Relying Party Trust which was there in ADFS 3.0.

     
    Monday, November 6, 2017 8:27 AM

Answers

All replies

  • We are struggling to accomplish the same. We have about 60+ Relying Party Trusts and just for one we need Certificate Authentication without changing the Primary Authentication Methods. If we do so, everyone has to manually choose to use a certificate of login "the normal way".

    Did you ever accomplish this?

    Wednesday, December 6, 2017 1:50 PM
  • You can configure the application to explicitly request the certificate auth. Is your app WF-Fed or SAML?

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Tuesday, December 12, 2017 3:23 PM
  • You can configure the application to explicitly request the certificate auth. Is your app WF-Fed or SAML?

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    It is SAML. But the SAP software in this case, cannot be adjusted to request Certificate Authentication.
    Wednesday, December 13, 2017 6:14 AM
  • We are looking for SAP Fiori to use certificate authentication as the primary method. What we really need is that when user hits authentication on ADFS side, Certificate authentication should kick in automtically.

    @Wimlem: I did this in ADFS 2.0 because of IIS. I modified HomeRealmDiscovery.aspx to trap the kind of device and present the type of authentication. I also changed the order of authentication and put certificate authentication as first. However, these flexibilities   are no longer their in current version. Due to this we are still running a separate ADFS 2.0 environment to support this application.

    Friday, December 15, 2017 11:28 AM
  • You could use a JavaScript trick for the RP, enable both FBA (or whatever other type) and Certificate Based Authentication and redirect the use to cert automatically.

    First extract the content of the default (or custom used) template:

    Export-AdfsWebTheme -Name Default -DirectoryPath C:\ForceCBA

    Then modify the file C:\ForceCBA\script\onload.js and add to the end:

    if ( document.getElementById('CertificateAuthentication') ) {
    	SelectOption('CertificateAuthentication');
    }
    

    Then inject this script as a custom webtheme part in your RP (in my example the RP's name is "Sample"):

    Set-AdfsRelyingPartyWebTheme -OnLoadScriptPath "C:\ForceCBA\script\onload.js" -TargetRelyingPartyName "Sample"

    It will redirect the user directly to the certificate auth page.

    You can even block the access if the user is by mistake using FBA by creating an authorization rule which issues a Deny claim if the http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod  is not http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/tlsclient or http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/x509

    What do you think?


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, December 15, 2017 9:18 PM
  • This works perfect for me. The Certificate pops-up immediatly!
    Wednesday, December 20, 2017 8:57 AM
  • does anyone know how to configure this for form based auth?
    Wednesday, February 28, 2018 2:12 PM
  • What is base auth?

    Please open a new thread as this one is marked as resolved and will not attract the community members' attention.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Thursday, March 1, 2018 1:02 AM
  • Did you ever find the answer to force Forms Auth per relaying party?
    Tuesday, October 9, 2018 4:35 PM
  • Please open a new thread if you have another question. This thread is about Certificate Based Authentication.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Tuesday, October 9, 2018 6:20 PM