Specify MFA based on user-agent in AD FS

adfssaml

Is it possible to force a specific MFA provider based on a user-agent (ideal) or IP address (less ideal) in AD FS? Alternatively, is there another free SAML IdP that would allow this? Read below for why, in case there is another option that I am missing:

I'm using AD FS 3.0 as a SAML 2.0 IdP for a cloud service used internally at a business. I have enabled MFA using integrated Windows authentication and I have also enabled certificates as a second factor.

This works great on the domain-joined desktops we deploy. Once the user is logged into Windows, they are automatically logged into the cloud service assuming they have a valid certificate. They don't have to do anything to authenticate and this is awesome.

This cloud service provides a mobile app for iOS and Android devices. The mobile app uses an embedded browser for authentication. During authentication, upon redirection to the IdP, AD FS falls back to forms-based authentication which is fine. However, when AD FS requests a client certificate, the embedded browser in these apps freezes. Thus, it is not possible to log into the apps using certificate-based authentication.

I've informed the vendor, they are able to replicate the issue and are investigating whether they can fix it, but my hopes are not high that they will be able to (at least in a timely manner).

In the mean time, I would like to provide two options: use certificates as the second factor on desktop browsers, and use a custom authentication provider (I can build this no problem) for mobile browsers.

Is this possible? The closest I can get right now is to present the user with an option of which MFA mechanism they would like to use. This isn't good enough, unfortunately, especially since users will need to do this several times per day.

Best Answer

Multi-factor authentication as a service is simply consuming the second factor from the cloud, so that your on-premises applications and cloud workloads can both use the same multi-factor authentication platform.

Azure Multi-Factor Authentication provides an additional level of authentication to prevent unauthorized access to both on-premises and cloud application. It provides three flavors:

Mobile App: available on Windows phones, android and IOS devices. Within this application, you can do two things: •Software token: offline one-time password with short life time, which is a great way in case you do not have internet connectivity. •Push notification.
Phone calls: you can receive a phone call prompting you to press a key to complete your authentication. This can be a land line or a mobile phone.
Text messages: you will receive a text message with a verification code.

You can look for Microsoft Authenticator app option for Multi-Factor Authentication. Check details here to Enable mobile app authentication with Azure Multi-Factor Authentication Server

Related Solutions

The SAML Assertion Consumer URL for an AD FS 2.0 Service Provider

When ADFS 2.0 is used as a service provider (i.e. RP STS) it consumes assertions at URLs like https://sts.contoso.com/adfs/ls/ .

The assertion consumer service URL is specific to the service provider. If ADFS is the service provider then the metadata URLs publish the assertion consumer URLs as follows.

<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://sts.contoso.com/adfs/ls/" index="0" isDefault="true" /> 
  <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://sts.contoso.com/adfs/ls/" index="1" /> 
  <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://sts.contoso.com/adfs/ls/" index="2" />

And here is some sample assertion consumer service URLs from another test site for comparison. http://www.testshib.org/metadata/testshib-two-metadata.xml

<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://sp.testshib.org/Shibboleth.sso/SAML2/POST" index="1" isDefault="true" xmlns="urn:oasis:names:tc:SAML:2.0:metadata" />

<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://sp.testshib.org/Shibboleth.sso/SAML2/POST-SimpleSign" index="2" xmlns="urn:oasis:names:tc:SAML:2.0:metadata" />
<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://sp.testshib.org/Shibboleth.sso/SAML2/Artifact" index="3" xmlns="urn:oasis:names:tc:SAML:2.0:metadata" />
<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="https://sp.testshib.org/Shibboleth.sso/SAML/POST" index="4" xmlns="urn:oasis:names:tc:SAML:2.0:metadata" />
<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01" Location="https://sp.testshib.org/Shibboleth.sso/SAML/Artifact" index="5" xmlns="urn:oasis:names:tc:SAML:2.0:metadata" />
<AssertionConsumerService Binding="http://schemas.xmlsoap.org/ws/2003/07/secext" Location="https://sp.testshib.org/Shibboleth.sso/ADFS" index="6" xmlns="urn:oasis:names:tc:SAML:2.0:metadata" />

AD FS 3.0 Event ID 364 while creating MFA (and SSO)

The Microsoft TechNet reference for ADFS 2.0 states the following for Event 364:

This event can be caused by anything that is incorrect in the passive request. It can occur during single sign-on (SSO) or logout for both SAML and WS-Federation scenarios.

https://technet.microsoft.com/en-us/library/adfs2-troubleshooting-fedpassive-request-failures(v=ws.10).

I realize you're using a newer version of ADFS but I couldn't find an updated reference in the 2012 R2 documentation. However, the description isn't all that helpful anyway.

References from some other sources usually point to certificate issues (revocation checking, missing certificate in chain) or a time skew.

http://www.gfi.com/blog/how-to-resolve-adfs-issues-with-event-id-364/

I know you said the certificates were installed correctly but you may want to double check that you can complete the revocation check and the chain validates. The easiest way to do this would be to open the certificate on the server from the Certificates snap-in and make sure there are no errors are warnings on the General and Certification Path tabs.

I've had time skew issues bite me in other authentication scenarios so definitely make sure all of your clocks match up as well.

Another thread I ran into mentioned an issue with SPNs. I know when I setup an ADFS 2012 R2 environment I ran into a problem with the SPN registration because my server's FQDN was the same as my intended Federation Service name (adfs.domain.com) so it was unable to register the SPN for ADFS. I fixed this by changing the hostname to something else and manually registering the SPNs. Unfortunately, I don't remember if this issue caused an event 364 though.

One thing I am curious about that you didn't mention if you had tried is whether or not you tested authentication to ADFS without the MFA extension. The extension name showing up in the exception stack seems to indicate it is part of the issue but that test could help you rule out issues with other aspects of your ADFS deployment.

Finally, if none of the above seems to help I would recheck the extension documentation to make sure that you didn't miss any steps in the setup. Hope that helps!

Best Answer

Related Solutions

The SAML Assertion Consumer URL for an AD FS 2.0 Service Provider

AD FS 3.0 Event ID 364 while creating MFA (and SSO)

Related Topic