locked
ADFS 3.0 primary authentication method per relying party trust RRS feed

  • Question

  • Is there anyway I can set different Primary Authentication methods per Relying Party Trust? For example, I want to set Certificate AuthN for one web application and Windows AuthN for a different web app. It seems this is not doable on the ADFS GUI...
    Thursday, July 6, 2017 9:13 AM

Answers

  • If your application is using WS-Fed, you can modify the web.config file that way:

          <federatedAuthentication>
            <!--<wsFederation passiveRedirectEnabled="true" issuer="https://adfs.verenatex.com/adfs/ls/" realm="https://web.verenatex.com/sample/" authenticationType="urn:oasis:names:tc:SAML:2.0:ac:classes:Password" requireHttps="true" />-->
            <wsFederation passiveRedirectEnabled="true" issuer="https://adfs.verenatex.com/adfs/ls/" realm="https://web.verenatex.com/sample/" authenticationType="urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient" requireHttps="true" />
            <cookieHandler requireSsl="true" />
          </federatedAuthentication>

    The commented part would force FBA auth. The second part (the enabled part) will force certificate.

    And this works as long as the method is supported AND enabled on the ADFS farm. Else you will see the following error message in the ADFS logs:

    Event ID:364

    Exception details:
    Microsoft.IdentityServer.Service.Policy.PolicyServer.Engine.InvalidAuthenticationTypePolicyException: MSIS7102: Requested Authentication Method is not supported on the STS.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Thursday, July 6, 2017 1:59 PM

All replies

  • Nope it is not. BUT the application can be configured to request for one specific method. So ping the owners of the application using ADFS for authentication, and ask them to specify the method you want in the redirection they do.

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Thursday, July 6, 2017 12:45 PM
  • Could you elaborate a little on this? I have access to configure web apps as well. I have a SharePoint 2016 web app and asp.net MVC web apps as Relying Party Trust. I want Certificate Authentication for SharePoint and Windows Authentication for asp.net applications. If I enable Certificate Authentication and Windows Authentication on ADFS, users will be able to select between the two different authentications, but I need to present only Certifcate to SharePoint and Windows to asp.net apps. Are you saying this can be done on the application side?
    Thursday, July 6, 2017 1:11 PM
  • If your application is using WS-Fed, you can modify the web.config file that way:

          <federatedAuthentication>
            <!--<wsFederation passiveRedirectEnabled="true" issuer="https://adfs.verenatex.com/adfs/ls/" realm="https://web.verenatex.com/sample/" authenticationType="urn:oasis:names:tc:SAML:2.0:ac:classes:Password" requireHttps="true" />-->
            <wsFederation passiveRedirectEnabled="true" issuer="https://adfs.verenatex.com/adfs/ls/" realm="https://web.verenatex.com/sample/" authenticationType="urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient" requireHttps="true" />
            <cookieHandler requireSsl="true" />
          </federatedAuthentication>

    The commented part would force FBA auth. The second part (the enabled part) will force certificate.

    And this works as long as the method is supported AND enabled on the ADFS farm. Else you will see the following error message in the ADFS logs:

    Event ID:364

    Exception details:
    Microsoft.IdentityServer.Service.Policy.PolicyServer.Engine.InvalidAuthenticationTypePolicyException: MSIS7102: Requested Authentication Method is not supported on the STS.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Thursday, July 6, 2017 1:59 PM