locked
ADFS 3.0 Forms Only Authentication for specific Relying Party Trust RRS feed

  • Question

  • Dear All.

    We have an application which should allow access to users with specific AD attributes and if the user which has been logged in (by WIA or Form) do not have such attribute we should redirect him to ADFS Froms Based auth even if he/she has already been authorized by WIA.

    Some users have 2 accounts one of this accounts is used for work on workstation and the other one is for that specific application.

    Did someone anything similar to that?


    Friday, December 2, 2016 1:31 PM

Answers

  • If the application is using WS-Federation, you can modify the web.config file (or any equivalent that stores the trust config) and add the following:

     <federatedAuthentication>
    	<wsFederation
    		...	
    		authenticationType="urn:oasis:names:tc:SAML:1.0:am:password"
    		...
    	/>
     </federatedAuthentication>

    Or if it is SAML2 type of trust, you can modify the samlp:RequestedAuthnContext to add something like:

    <samlp:RequestedAuthnContext xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Comparison="exact"><saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></samlp:RequestedAuthnContext> </samlp:AuthnRequest>


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Monday, December 5, 2016 3:38 AM

All replies

  • If you want an application to redirect to ADFS and ask for Form Based Authentication the application has to request for it.

    If the application does not ask for it, ADFS will follow its authentication policy which by default will be:

    • WIA for internal users using a compatible user agent (browsers)
    • WIA for internal users using a non-compatible user agent (browsers)
    • FBA for external users (meaning they are going through a WAP server)

    The list of compatible user agents is governed by the property WIASupportedUserAgents which by default is:

    (Get-AdfsProperties).WIASupportedUserAgents
    #Output:
    #MSAuthHost/1.0/In-Domain
    #MSIE 6.0
    #MSIE 7.0
    #MSIE 8.0
    #MSIE 9.0
    #MSIE 10.0
    #Trident/7.0
    #MSIPC
    #Windows Rights Management Client
    #MS_WorkFoldersClient
    #=~Windows\s*NT.*Edge


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, December 2, 2016 4:34 PM
  • Pierre, thank you for reply, but how an application should ask for Form? What should it pass to ADFS, is there a specific URL or an apllication should POST with additional attributes?
    Sunday, December 4, 2016 7:15 PM
  • If the application is using WS-Federation, you can modify the web.config file (or any equivalent that stores the trust config) and add the following:

     <federatedAuthentication>
    	<wsFederation
    		...	
    		authenticationType="urn:oasis:names:tc:SAML:1.0:am:password"
    		...
    	/>
     </federatedAuthentication>

    Or if it is SAML2 type of trust, you can modify the samlp:RequestedAuthnContext to add something like:

    <samlp:RequestedAuthnContext xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Comparison="exact"><saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></samlp:RequestedAuthnContext> </samlp:AuthnRequest>


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Monday, December 5, 2016 3:38 AM