locked
Securing ADFS RRS feed

  • Question

  • We have ADFS 3.0 setup in our environment along with WAP. We are using ADFS as identityProvider in SSO scenario. A question has been asked by our Security team that can we restrict our ADFS sign-in page that it should only be accessible when a request comes from one of the Relying party trusts setup in our ADFS either by Firewall rules or any other option. If I understand correctly Relying parties redirects external user to ADFS so not sure if we can create firewall rules to allow connection only from Relying parties. If firewall rules are not possible is 2FA the only option ?

    Any help would be greatly appreciated. Thanks

    Tuesday, May 28, 2019 7:42 PM

Answers

  • We have ADFS 3.0 setup in our environment along with WAP. We are using ADFS as identityProvider in SSO scenario. A question has been asked by our Security team that can we restrict our ADFS sign-in page that it should only be accessible when a request comes from one of the Relying party trusts setup in our ADFS either by Firewall rules or any other option. If I understand correctly Relying parties redirects external user to ADFS so not sure if we can create firewall rules to allow connection only from Relying parties. If firewall rules are not possible is 2FA the only option ?

    Any help would be greatly appreciated. Thanks

    Yes, you should be using MFA.

    No, restricting to the relying party IPs wont work. That will pretty much ensure no client can use it unless the RP client requests come from those IPs :P 


    • Edited by Andy DavidMVP Tuesday, May 28, 2019 7:49 PM
    • Marked as answer by shaamchi Tuesday, May 28, 2019 9:48 PM
    Tuesday, May 28, 2019 7:48 PM

All replies

  • We have ADFS 3.0 setup in our environment along with WAP. We are using ADFS as identityProvider in SSO scenario. A question has been asked by our Security team that can we restrict our ADFS sign-in page that it should only be accessible when a request comes from one of the Relying party trusts setup in our ADFS either by Firewall rules or any other option. If I understand correctly Relying parties redirects external user to ADFS so not sure if we can create firewall rules to allow connection only from Relying parties. If firewall rules are not possible is 2FA the only option ?

    Any help would be greatly appreciated. Thanks

    Yes, you should be using MFA.

    No, restricting to the relying party IPs wont work. That will pretty much ensure no client can use it unless the RP client requests come from those IPs :P 


    • Edited by Andy DavidMVP Tuesday, May 28, 2019 7:49 PM
    • Marked as answer by shaamchi Tuesday, May 28, 2019 9:48 PM
    Tuesday, May 28, 2019 7:48 PM
  • Thank you Andy for your reply. Really appreciate it.
    Tuesday, May 28, 2019 9:50 PM