locked
How to check which one is already setting by default on ADFS and how to edit it. Can we add more than one authentication context? RRS feed

  • Question

  • Environment:-

    • ADFS 4.0
    • Windows Server 2016

    .

    Requirement Description: -  

    In SAML  2.0, there are 25 types of Authentication Context Types XML Schema. Assist me to understand following configuration.

    Kindly let me know, how to check which one is already setting by default on ADFS and how to edit it. Can we add more than one authentication context?

    For reference

    http://docs.oasis-open.org/security/saml/v2.0/saml-authn-context-2.0-os.pdf

    List of authentication context type schema: -

    1.             urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocolPassword
    2.             urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol
    3.             urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos
    4.             urn:oasis:names:tc:SAML:2.0:ac:classes:MobileOneFactorUnregistered
    5.             urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorUnregistered
    6.             urn:oasis:names:tc:SAML:2.0:ac:classes:MobileOneFactorContract
    7.             urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract
    8.             urn:oasis:names:tc:SAML:2.0:ac:classes:Password
    9.             urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
    10.           urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession
    11.           urn:oasis:names:tc:SAML:2.0:ac:classes:X509
    12.           urn:oasis:names:tc:SAML:2.0:ac:classes:PGP
    13.           urn:oasis:names:tc:SAML:2.0:ac:classes:SPKI
    14.           urn:oasis:names:tc:SAML:2.0:ac:classes:XMLDSig
    15.           urn:oasis:names:tc:SAML:2.0:ac:classes:Smartcard
    16.           urn:oasis:names:tc:SAML:2.0:ac:classes:SmartcardPKI
    17.           urn:oasis:names:tc:SAML:2.0:ac:classes:SoftwarePKI
    18.           urn:oasis:names:tc:SAML:2.0:ac:classes:Telephony
    19.           urn:oasis:names:tc:SAML:2.0:ac:classes:NomadTelephony
    20.           urn:oasis:names:tc:SAML:2.0:ac:classes:PersonalTelephony
    21.           urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony
    22.           urn:oasis:names:tc:SAML:2.0:ac:classes:SecureRemotePassword
    23.           urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient
    24.           urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken
    25.           urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified

     


    Regards, S.P Singh

    Saturday, August 10, 2019 5:46 PM

Answers

  • Thanks  Pierre Audonnet,

    Can we add more authentication context and also remove default authentication context? If yes, how can we do this? Kindly provide your assistance.


    Regards, S.P Singh

    Kindly assist.

    Regards, S.P Singh

    Just run PowerShell as administrator and specify your own contextorder with "Set-ADFSProperties -AuthenticationContextOrder <order1>,<order2>"
    Friday, August 16, 2019 12:02 PM
  • (Get-AdfsProperties).AuthenticationContextOrder.OriginalString

    urn:oasis:names:tc:SAML:2.0:ac:classes:Password
    urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
    urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient
    urn:oasis:names:tc:SAML:2.0:ac:classes:X509
    urn:federation:authentication:windows
    urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos

    This is what's there by default.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Saturday, August 10, 2019 10:00 PM

All replies

  • (Get-AdfsProperties).AuthenticationContextOrder.OriginalString

    urn:oasis:names:tc:SAML:2.0:ac:classes:Password
    urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
    urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient
    urn:oasis:names:tc:SAML:2.0:ac:classes:X509
    urn:federation:authentication:windows
    urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos

    This is what's there by default.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Saturday, August 10, 2019 10:00 PM
  • Thanks  Pierre Audonnet,

    Can we add more authentication context and also remove default authentication context? If yes, how can we do this? Kindly provide your assistance.


    Regards, S.P Singh

    Sunday, August 11, 2019 10:09 AM
  • Thanks  Pierre Audonnet,

    Can we add more authentication context and also remove default authentication context? If yes, how can we do this? Kindly provide your assistance.


    Regards, S.P Singh

    Kindly assist.

    Regards, S.P Singh

    Tuesday, August 13, 2019 2:11 AM
  • Thanks  Pierre Audonnet,

    Can we add more authentication context and also remove default authentication context? If yes, how can we do this? Kindly provide your assistance.


    Regards, S.P Singh

    Kindly assist.

    Regards, S.P Singh

    Just run PowerShell as administrator and specify your own contextorder with "Set-ADFSProperties -AuthenticationContextOrder <order1>,<order2>"
    Friday, August 16, 2019 12:02 PM