locked
ADFS 3 MFA Require Logon Everytime Moblie Devices RRS feed

  • Question

  • We are working on an application on ADFS 3.0 that uses MFA (RSA).  We have checked 'Users are required to provide credentials at each logon'.  Now this works as expected when using a desktop browser as I assume the session cookie is deleted when the browser is closed.

    The issue is on mobile devices (testing Galaxy S5) where browsers such as Chrome and Firefox always allow the user straight to the application without asking for credentials, after first logon.  I assume the session cookie is not being removed because I can delete all cookies manually and it will ask for credentials the next time.

    Anyone have options to require the user to enter the RSA code at every logon on mobile devices?  

    Also, looking into the token lifetimes and sso lifetimes but without affecting the rest of the applications on the ADFS server.

     
    Friday, January 13, 2017 3:53 PM

All replies

  • Hi Vaadadmin2010,

    That option just means - if the user is redirected back to the ADFS server to authenticate - always prompt for credentials even if they have a valid SSO token already.

    On your devices, most likely you aren't actually closing the browser, instead you are just hiding the browser between connections to the application, so the Relying Party is considering that the user is still logged in and never redirecting back to ADFS.

    If you want to test this functionality on a mobile device, either kill the browser application using a task killer or create a private browsing window to access the application, then close the private browsing window, open another and try again.

    Good Luck!

    Shane

    Friday, January 13, 2017 6:02 PM
  • Thank you for the reply.  That is exactly what is happening, the session cookie is not being deleted/expired due to not closing completely.  Is there a way to resolve this on the ADFS/RP side?  It is not realistic to tell everyone to delete their cookies after every browsing session on a mobile device, because they will not do it.
    Tuesday, January 17, 2017 2:34 PM