locked
Authentication method for per Relying Trust RRS feed

  • Question

  • In ADFS 3.0 (Windows Server 2012 R2) you were able to configure primary authentication per relying party trust under Authentication Policies\Per Relying Party Trust in AD FS Management. How do I do this in ADFS 4.0 or 5.0 (Windows Server 2016/19)?

    AD FS Management only has options for changing Primary and Additional Authentication Methods globally and not per Relying Trust. Can I do it using GUI or PowerShell Set-AdfsRelyingPartyTrust somehow? How can I do this?

    This is strange that this was available in 2012 and now gone in 2016/2019

    I have a requirement for different types of authentication for my relaying parties in same ADFS 2016 server.

    I have not seen a single answer on this.


    John


    • Edited by John98683 Wednesday, December 4, 2019 3:08 AM
    Monday, December 2, 2019 1:30 PM

Answers

  • It is not true that you could configure Primary Authentication methods per relying party in ADFS 3. It was never the case.

    And it is not a feature as of today.

    BUT you can configure the application to request for a specific primary authentication and it will be honored by ADFS as long as the authentication method is supported and enabled. So contact your application developer and ask them to modify their code in such a way the redirection to ADFS will request for a specific authentication method.

     

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Sunday, December 29, 2019 1:58 PM
  • It is a global setting. Not per Relying Party trust, never was. 

    For the Per Relying Party, you can just enforce re-authentication. It is in the documentation you linked:

    As you can see, the only option is to force re-auth. Not to pick authentication method.

    Only MFA criteria/options (which are NOT primary authentication methods) can be customized per relying party.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.





    Monday, January 13, 2020 6:47 PM

All replies

  • John,

    I have also been searching for weeks on this as we have need to secure RPTs with different AUTH types. Specifically, trying to use password-less options for upcoming mobile apps using the new ability in 2019 to use MFA APP to allow  "push to enter".

    I CANNOT believe this feature was deprecated and kinda does not make sense that it is gone.... Why are we the only people searching on this and what AM I missing?

    Craptastic indeed. Thanks Microsoft.

    PMACdaddy

    Thursday, December 19, 2019 7:36 PM
  • It is not true that you could configure Primary Authentication methods per relying party in ADFS 3. It was never the case.

    And it is not a feature as of today.

    BUT you can configure the application to request for a specific primary authentication and it will be honored by ADFS as long as the authentication method is supported and enabled. So contact your application developer and ask them to modify their code in such a way the redirection to ADFS will request for a specific authentication method.

     

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Sunday, December 29, 2019 1:58 PM
  • What's this then? Sure looks like you used to be able to ....



    https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-authentication-policies



    "To configure primary authentication per relying party trust
    In Server Manager, click Tools, and then select AD FS Management.

    In AD FS snap-in, click Authentication Policies\Per Relying Party Trust, and then click the relying party trust for which you want to configure authentication policies.

    Either right-click the relying party trust for which you want to configure authentication policies, and then select Edit Custom Primary Authentication, or, under the Actions pane, select Edit Custom Primary Authentication."



    Monday, January 13, 2020 3:26 PM
  • It is a global setting. Not per Relying Party trust, never was. 

    For the Per Relying Party, you can just enforce re-authentication. It is in the documentation you linked:

    As you can see, the only option is to force re-auth. Not to pick authentication method.

    Only MFA criteria/options (which are NOT primary authentication methods) can be customized per relying party.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.





    Monday, January 13, 2020 6:47 PM
  • This is NOT true.  Your mis-directing your support.  You CAN enforce per RPT authentication and always could.  You must not read all the documentation
    Tuesday, February 4, 2020 3:17 PM
  • Agree, these "geniuses" at Microsoft have absolutely no clue what they are doing.  They work in a bubble and always have and will continue to do so because us, as a customer, are powerless.  I spent 4 hours last night on the phone with 2 different Microsoft "engineers" and they had NO CLUE what they were doing.  They were simply reading through a scripted troubleshooting document and we tried to tell them we tried everything they were telling us to do.  They "escalated" the issue, and the new "engineer" was even worse.  I ended up finding the issue and fixing it FOR Microsoft.  What really irritates me is how condescending they both were.  But, when I pointed out how wrong they were and exactly why, they changed their tune real quick.  I even asked the ADFS "expert" how he didnt know.  He simply said it was an issue he had never dealt with....as an expert?  Seriously?  And I had to find AND fix the issue myself.  Microsoft, you need to vet your "pros" a whole lot better because your support...well....it sucks.
    Tuesday, February 4, 2020 3:21 PM
  • This is correct.  But no longer available in the console.  You have to code it yourself because Microsoft likes to have all the power
    Tuesday, February 4, 2020 3:23 PM
  • It was never the case. Really.

    You can reach out to me, I'll be happy to give you more details. You can find me on LinkedIn.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Tuesday, February 4, 2020 5:47 PM
  • ffbenfineer I have been looking for this for some time now. Could please share how you could enforce per RPT. 
    Wednesday, February 5, 2020 1:08 PM
  • Let me re-iterate. It was NOT possible in 2012 R2, it is not possible in 2016, it is not possible in 2019. There must be a confusion there. I am not sure where it is coming from.

    The primary authentication policy was and still is a farm-wide settings and the only option available at the RP level was to force re-authentication. And that is what the documentation that has been pointed out three times says: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-authentication-policies#to-configure-primary-authentication-per-relying-party-trust "Users are required to provide credentials each time at sign in." Please have a look. And the previous version of that document back in 2017 also states the same: https://web.archive.org/web/20170829040751/https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-authentication-policies 

    This is what it looks like in the GUI in Windows Server 2012 R2:

    That said. You can configure your application trusing ADFS to request for a specific authentication method. But this setting is on the application side. NOT at the ADFS level. For example, if you have an application using WS-Federation on IIS, you can configure the web.config file in such way that the redirect to ADFS will have the authentication method embeded to it:

    <federatedAuthentication>
     <wsFederation passiveRedirectEnabled="true" issuer="https://adfs.verenatex.com/adfs/ls/" realm="https://web.verenatex.com/sample/" authenticationType="urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient" requireHttps="true" />
     <cookieHandler requireSsl="true" />
    </federatedAuthentication>

    In the example above, the authentication method will be urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient and as long as this method is enabled in the global authentication policy at the farm level, the user will be prompted to pick a certificate for authentication (that is what this URI is about, TLS auth). But it could have been asking for form based authentication with the URI: urn:oasis:names:tc:SAML:2.0:ac:classes:Password (although password based one is the less secure, you could configure your app that way as long as form based is enabled on the global policy). 

    For SAML2 applications, the authentication method can be asked in the RequestedAuthnContext section of the SAML request:

    <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="
    
    ...
    
      <samlp:RequestedAuthnContext Comparison="exact">
    <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
      </samlp:RequestedAuthnContext>
    </samlp:AuthnRequest>

    Of course that would work only for the SP-Initiated flow.

    Those two methods are to be deployed on the application side. NOT at the ADFS level. And it is documented that way.

    Now if you feel that it does not work for you and you'd rather change how the product work, you can channel your feedback to the product group using this channel: https://windowsserver.uservoice.com/forums/304621-active-directory/suggestions/35823295-specify-primary-authentication-method-per-relying you see the request already exists but does not have a lot of votes. If that goes up, it might change in the next version.

    tl;dr This was never taken out from the GUI. It was never in the GUI.

    Note: I'll remove all the short messages which are not constructive contributions. I save the messages of this page in a PDF. So you can request that PDF if you think it might help you. You can find me on LinkedIn.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.






    Wednesday, February 5, 2020 3:09 PM