locked
Is Internal Form Based Authentication per Application/Partner on ADFS Server 2012 R2 (3.0) doable ? The options seem to be there but I can't get it to work. .. RRS feed

  • Question

  • Hi Everyone, 

    We have setup ADFS Server 2012 R2 (3.0) in our company to federate with other partners. Currently we have two partners which we access their application using ADFS, this works great. Internally, SSO kicks in and automatically logs in our users. Externally, users use Form Based Authentication, and that works great too. A concern was brought up that since internally single sign on automatically logs users in, what would happen if someone where to pass by a users station while a user has walked away and simply click on the application URL. I know, users should always lock their stations and they should be using their own accounts, that's a given. Then again, both applications have a "Logout" button what when clicked doesn't does seem to log them out in a way, but if they click on the URL once again SSO kicks in and logs them in automatically again.

    Now, a recent task was given to us to see if there is a way to enable form based authentication for only one of the Relying Parties (Applications) while the user is logged in internally (Externally is already doing that). That way when users were to access our partner's application URL SSO wouldn't kick in, instead they would be stopped on our ADFS Logon Page so they could login. Ideally, this seems like a doable task given that these options seem to reside on the ADFS Console. 

    I have checked on the option, "Users are Required to Provide Credentials each time at sign in" on the application/partner where I want this to occur. I also enabled "Forms Authentication" in the Global Policy (Windows Authentication is enabled as well by default). However, this does not seem to do any good, I don't see no difference when accessing this application, I still get the same SSO experience, shouldn't I be stopped at our ADFS logon page to authenticate first using forms ? 

    The only way that seems to work, is if I disable "Windows Authentication" from the Global Policy, but this breaks SSO for all of our parterns, I only want to do so for one. Is this something that can be done from ADFS itself ? Will the application owners have to do something on their side (They said no btw) as well for this to take effect properly ? Has anyone come up with this type of scenario ? Please share your thoughs on this, any input is greatly appreciated. Thank you!!!!!

    I came upon the article below and they seem to achieve the same thing we are but there's no clear answer...

    https://social.msdn.microsoft.com/Forums/vstudio/en-US/6cdbe7f7-3eac-4437-aac6-0d6f0c0604fa/force-a-relying-party-to-always-use-forms-based-authentication-in-adfs-30?forum=Geneva

    Thursday, July 7, 2016 3:46 AM

Answers

  • The authentication policies are based on the user's location: extranet or intranet. And this detection is made thanks to one condition: if the user authenticates through a WAP server (aka ADFS proxy) then it is considered as an extranet user and applies the respective policy. If not we apply the intranet policy.

    The policies are global for the farm. If you want a specific application to derogate from the policy you have two options:

    1. Configure the application to explicitly request for form based authentication. When the user is redirected from the application to the ADFS farm, the application will add something specific to the request that will force the form based authentication (what to add varies depending of the type of trust: WS-Fed or SAML2).
    2. Ensure that the users of this application resolve the URL of the ADFS farm to the WAP farm, then they will apply the extranet policy. But this will be for all applications used by this users.

    There is a 3rd alternative option which consists of playing with the user agent string. When users are applying the intranet settings of the authentication policy they should play the SSO through the Windows Integrated Authentication. But if the client is not supported (based on the user agent string of the browser), the user will be presented with the form for authentication despite the fact it is connected internally. You can play with this fallback by changing the user agent string of the browsers if ever it was a possibility in your case. And that will also be global for all the apps the user is accessing with this browser.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.


    Thursday, July 7, 2016 12:41 PM

All replies

  • The authentication policies are based on the user's location: extranet or intranet. And this detection is made thanks to one condition: if the user authenticates through a WAP server (aka ADFS proxy) then it is considered as an extranet user and applies the respective policy. If not we apply the intranet policy.

    The policies are global for the farm. If you want a specific application to derogate from the policy you have two options:

    1. Configure the application to explicitly request for form based authentication. When the user is redirected from the application to the ADFS farm, the application will add something specific to the request that will force the form based authentication (what to add varies depending of the type of trust: WS-Fed or SAML2).
    2. Ensure that the users of this application resolve the URL of the ADFS farm to the WAP farm, then they will apply the extranet policy. But this will be for all applications used by this users.

    There is a 3rd alternative option which consists of playing with the user agent string. When users are applying the intranet settings of the authentication policy they should play the SSO through the Windows Integrated Authentication. But if the client is not supported (based on the user agent string of the browser), the user will be presented with the form for authentication despite the fact it is connected internally. You can play with this fallback by changing the user agent string of the browsers if ever it was a possibility in your case. And that will also be global for all the apps the user is accessing with this browser.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.


    Thursday, July 7, 2016 12:41 PM
  • Thanks for the insight Pierre! This gives us a better insight on our situation. We will discuss this with the Vendor again as option 1 seems the most ideal. Options 2 / 3 won't work for us since they will also affect other applications we have federated with. Although ADFS Server 2012 R2 is much more user friendly I still find it very misleading as to why would a checkbox that says " .  Users are Required to Provide Credentials Each Time at Sign In" be present per Relying Party, almost making it seem as if this was an easy task which in fact is not something that can easily be accomplished. 
    Monday, July 11, 2016 8:48 PM
  • Hi, Do you have any references/code examples of what a developer would need to specify to explicitly requests FBA when using WS-Fed?


    Monday, November 6, 2017 1:51 PM
  • Hi All. I had a similar case open and was referred to this article:

    https://msdn.microsoft.com/en-in/library/hh599318.aspx

    I am still working on my case and trying to get the Application Vendor to request forms based auth, but I'm looking for other solutions as well.

    -Brian

    Wednesday, November 15, 2017 8:33 PM