locked
Custom login page in ADFS RRS feed

  • Question

  • Can we have a custom login page in ADFS prompting the user only to enter user ID?

    Because of corporate data security policy, we would like the user to enter only user ID on the login page on the private devices. Right after that we would like the on-prem MFA is triggered.

    Wednesday, September 20, 2017 6:02 AM

Answers

  • MFA Server can only be used for secondary authentication. The only primary auth possible in ADFS 2012 R2 is password or certificate. In ADFS 2016, Azure MFA (mobile app OTP mode only) can be used for primary auth as well, but not third-party ADFS adapters, including MFA Server can be used to perform primary auth.

    If you allow a user to enter a username only, and have that result in a call, text or push notifications, an attacker could cause an MFA verification to be sent to any user in your organization just by typing in a username, which isn't secret. That would cause many problems.

    Tuesday, September 26, 2017 3:52 AM

All replies

  • Let me see if we get this right. You are using On-Prem ADFS and a Custom Login for the same. You would like your users to enter on the UserID without the Domain. Then you would like your On-Prem MFA to be triggered for authentication.

    Are we talking about On-prem environment or Azure Services ?

    ---------------------------------------------------------------------------------------------------
    Do click on "Mark as Answer" on the post that helps you, this can be beneficial to other community members.

    Wednesday, September 20, 2017 1:59 PM
  • The login page has to be accessible from internet, the server infrastructure environment is on-prem. We do not want the corporate domain password to be entered in the internet login page.

    So the sequence we want to do is

    1) Login page accessible via internet to enter only user ID

    2) On-prem ADFS uses this user ID and triggers on-prem MFA

    3) Once authenticated with on-prem MFA, the user can access the on-prem corporate applications.

    Can the current ADFS configuration/custom login integration provide this function?

    Thursday, September 21, 2017 12:46 AM
  • We would move this to the ADFS Forum for better exposure and assistance.

    ---------------------------------------------------------------------------------------------------
    Do click on "Mark as Answer" on the post that helps you, this can be beneficial to other community members.

    Thursday, September 21, 2017 6:10 AM
  • You can customize the page to ask the user to type only the sAMAccountName for example. This is described here: 

    • Advanced Customization of AD FS Sign-in Pages https://docs.microsoft.com/en-ca/windows-server/identity/ad-fs/operations/advanced-customization-of-ad-fs-sign-in-pages 

    For the MFA, you can find info here:

    • Manage Risk with Additional Multi-Factor Authentication for Sensitive Applications https://docs.microsoft.com/en-ca/windows-server/identity/ad-fs/operations/manage-risk-with-additional-multi-factor-authentication-for-sensitive-applications 

    And if you are using ADFS for Office 365, also have a look at this: 

    • Conditional access in Azure Active Directory https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-azure-portal 


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Tuesday, September 26, 2017 2:29 AM
  • MFA Server can only be used for secondary authentication. The only primary auth possible in ADFS 2012 R2 is password or certificate. In ADFS 2016, Azure MFA (mobile app OTP mode only) can be used for primary auth as well, but not third-party ADFS adapters, including MFA Server can be used to perform primary auth.

    If you allow a user to enter a username only, and have that result in a call, text or push notifications, an attacker could cause an MFA verification to be sent to any user in your organization just by typing in a username, which isn't secret. That would cause many problems.

    Tuesday, September 26, 2017 3:52 AM