none
ADFS 2.0 - How to select authentication method at Identity Provider STS RRS feed

  • Question

  • We are currently setting up a federated identity solution using ADFS 2.0 to provide SharePoint 2010 services to various federation partners. We are using Windows Integrated Authentication on the Identity Provider side, so that the users (after an initial Source Realm Discovery) are automatically authenticate against their local AD and can transparently access the requested SharePoint sites. This works without any problems.

    Occasionally however, a user (e.g. a Site Administrator) will want to log on to SharePoint with credentials that are different to the ones of his current Windows user session. To do this, she selects "Logon as different user" in the menu of the SharePoint application. THis will log the user out of SharePoint and request a new authentication via SharePoints authentication service, in this case the Relying Party STS (SharePoints local ADFS 2.0). The RP-STS will once again authenticate the user, however this will yield the same credentials as before, due to the fact that we are using Integrated Authentication at the IP-STS. The user is therefore logged back on to SharePoint with the same credentials as before.

    What we would like to do, is to initiate an authentication at the IP-STS using a different authentication method (e.g. forms-based authentication) to the Windows Integrated Authentication used by default. This would allow us to provide the ability to log on with a different credentials when necessary, whilst keeping the default, transparent authentication method as default.

    There are two limiting factors to this at present:

    1. Primary and alternate identities will be provided by the same IP-STS. A new Source Realm Discovery is not required.
    2. Getting the user to open up their browser under a different user session (Run as...) is not seen as an option.

    Does anyone have any ideas on how this could be achieved? Any help would be greatly appreciated.

    Cheers,
    Oliver


    Oliver Carr CISSP, MCSE:Security, MCT
    Tuesday, January 11, 2011 4:08 PM

All replies

  • I think you can try using two different browsers to log different users.

    Thursday, January 13, 2011 2:34 PM
  • That would definitely be a work-around for the locally stored token (cookie). I would still however need to find a way of initiating a forms-based authN instead of Windows Integrate AuthN at the IP-STS, which is where I'm currently stuck.
    Oliver Carr CISSP, MCSE:Security, MCT
    Thursday, January 13, 2011 2:41 PM
  • Hi Oliver,

    I bounced this question off our ADFS support folks for you, and they think they may have a way to make it work.  They're still working out the details so that we can post those for you, but we wanted to let you know that we are definitely looking at this question.


    David Beach - Microsoft Online Community Support
    Tuesday, January 18, 2011 5:32 PM
  • Are there any news on this topic? Or a hint on how this could be achieved by code, maybe by building a custom home realm discovery and/or passing a specific parameter to the identity provider?
    Tuesday, February 15, 2011 3:28 PM