locked
Direct link to ADFS 3.0 FBA? RRS feed

  • Question

  • We are currently using ADFS in a very straightforward manner for Office 365.  Purely for Windows Authentication of domain users on domain-joined computers.

    We have a new requirement to use ADFS to provide SAML auth to another external service.  However, for this service, we wish to have our (again, domain member) users enter alternate credentials (their IT administrative credentials) to use this service.  For this we need Forms-based auth.

    It seems that when both Windows Authentication and Forms Authentication are enabled, Windows auth is used in this scenario (domain user on domain computer).  Is there any way to direct-link to the forms-based login page for ADFS 3.0?  Or put some type of (IIS hosted?) form in front of it?  <-- These hypothetical scenarios would allow us to continue using just one ADFS server.

    Or do we have to build another ADFS server that only allows Forms-based authentication?

    Thanks!

    Wednesday, December 9, 2015 5:38 PM

Answers

  • Are you doing SP Initiated Sign In?

    If so, can't you ask the SP to configure their application to request FBA in the RST (Request for Security Token) to your ADFS?

    We've had similar requirement in a few situations they users don't want SSO (SSO as in automatically signed in using the credentials of the currently logged on user) but instead they want to be prompted to enter their credentials again (or alternate credentials). I've solved this using the following (authenticationType) in web.config on the application server (using WS-Fed as the protocol):

     <federatedAuthentication>
    	    <wsFederation
    		authenticationType="urn:oasis:names:tc:SAML:1.0:am:password"
    		passiveRedirectEnabled="true"
    		issuer="https://sts.contoso.com/adfs/ls/"
    		realm="https://mywebApp.ikea.com/"
    		requireHttps="true" />
            <cookieHandler requireSsl="true" />
          </federatedAuthentication> 

    ADFS will create an event each time saying that a none supported authentication type was requested in the Event Log but it works :-) Users are prompted (FBA) and can enter alternate credentials (or their own).

    To my understanding the same can be achieved using the SAML Protocol if you can add the following to the RST:

    <samlp:RequestedAuthnContext xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Comparison="exact"><saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></samlp:RequestedAuthnContext> </samlp:AuthnRequest>

    The PasswordProtectedTransport part should do the trick.

    The thing is though... this parameter might not be supported by the SAML implementation used by your Service Provider. In that case you are left with the final dreaded option which is to setup a separate ADFS Farm that only supports FBA, Pierre Audonnet and Paul Lemmers, if you read this please correct me if I'm wrong :-)

    Oh I've heard rumors that in ADFS 4 (Windows Server 2016) you will finally be able to control this per Relying Party Trust... if that is really true then that would be awesome !!!



    Monday, December 14, 2015 11:22 AM

All replies

  • Do the users need to be able to connect to other applications using ADFS from the same machine? If not, maybe you can use a DNS trick to redirect them to a WAP server using forms.

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, December 11, 2015 2:36 PM
  • Are you doing SP Initiated Sign In?

    If so, can't you ask the SP to configure their application to request FBA in the RST (Request for Security Token) to your ADFS?

    We've had similar requirement in a few situations they users don't want SSO (SSO as in automatically signed in using the credentials of the currently logged on user) but instead they want to be prompted to enter their credentials again (or alternate credentials). I've solved this using the following (authenticationType) in web.config on the application server (using WS-Fed as the protocol):

     <federatedAuthentication>
    	    <wsFederation
    		authenticationType="urn:oasis:names:tc:SAML:1.0:am:password"
    		passiveRedirectEnabled="true"
    		issuer="https://sts.contoso.com/adfs/ls/"
    		realm="https://mywebApp.ikea.com/"
    		requireHttps="true" />
            <cookieHandler requireSsl="true" />
          </federatedAuthentication> 

    ADFS will create an event each time saying that a none supported authentication type was requested in the Event Log but it works :-) Users are prompted (FBA) and can enter alternate credentials (or their own).

    To my understanding the same can be achieved using the SAML Protocol if you can add the following to the RST:

    <samlp:RequestedAuthnContext xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Comparison="exact"><saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></samlp:RequestedAuthnContext> </samlp:AuthnRequest>

    The PasswordProtectedTransport part should do the trick.

    The thing is though... this parameter might not be supported by the SAML implementation used by your Service Provider. In that case you are left with the final dreaded option which is to setup a separate ADFS Farm that only supports FBA, Pierre Audonnet and Paul Lemmers, if you read this please correct me if I'm wrong :-)

    Oh I've heard rumors that in ADFS 4 (Windows Server 2016) you will finally be able to control this per Relying Party Trust... if that is really true then that would be awesome !!!



    Monday, December 14, 2015 11:22 AM
  • Yes, same machine, will use O365 (Windows auth) and this other application (alternate credentials).
    • Edited by J.Gardner Monday, December 14, 2015 1:46 PM
    Monday, December 14, 2015 1:23 PM
  • Thanks Moloko.

    So this service is, um, another large cloud IaaS provider.  They don't support SP-initiated sign in, and while I can create a feature request, I doubt it would meet my timeframe, if ever addressed.

    I'm not sure I follow exactly the modification of RST.  How could I go about testing the modification of RST?  How could I get that into a normal user interaction?  Not a lot of experience in ADFS here.

    It is sounding like my assumption of requiring another ADFS server is going to be true.

    Having control of auth method per Relying Party would be excellent!!

    Thanks again.

    Monday, December 14, 2015 1:46 PM
  • The relying party (SAML) can request an Authentication context (RequestedAuthNContext) that will default to FBA (PasswordProtectedTransport) as mentioned but that infers that login is SP-Initiated, not supported in IdP-Initiated signon setups.. a separate FBA only farm is an option, as you stated

    http://blog.auth360.net


    • Edited by Mylo Monday, December 14, 2015 10:57 PM
    Monday, December 14, 2015 10:56 PM
  • Mylo, can you clarify the following statement: "[...] infers that login is SP-Initiated, not supported in IdP-Initiated signon setups" it seems to be in contradiction with what Jesse mentioned. Who is right? :)


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Tuesday, December 15, 2015 10:03 PM
  • Hi Pierre,

    Sorry to cause any misunderstanding.. I sometimes posts these responses from a phone rather than a laptop, which leads to "concise" replies that perhaps are not 100% clear..

    Jesse, as the original poster, mentions that the SaaS provider does not support SP-Initiated logon, only IdP-initiated.. This means that the IdP (AD FS) cannot trigger a forms logon page because there is no authentication context request to speak of (or comparison attribute) .. i.e. this is not an SP-initiated workflow.

    Hope that clears up any confusion I created :-)


    http://blog.auth360.net

    Tuesday, December 15, 2015 10:18 PM
  • Pierre do you know if it's true that ADFS 4.0 (Windows Server 2016) will allow you to choose per Relying Party Trust if you want to use IWA/SSO or FBA?


    WORK

    Thursday, December 17, 2015 5:19 PM
  • I am not aware of this.

    Usually as you mentioned, the RP can ask for a specific authentication method and this is usually the way to go


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Thursday, February 25, 2016 12:49 AM
  • For what its worth, after some sandbox testing and a call w/MS Premier, we ended up building a second ADFS environment to only support FBA.
    Thursday, February 25, 2016 1:28 PM