ComponentSpace

Forums



ADFS - Force Forms Authentication


ADFS - Force Forms Authentication

Author
Message
geoman
geoman
New Member
New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)

Group: Forum Members
Posts: 3, Visits: 31

Hi there! I have a client who is using ADFS to interact with our service provider. This client is a company where several employees share a single computer. Because of the way they have ADFS configured, when they interact with our service provider the employee is currently able to access the account of whoever is currently logged into the computer, which is not necessarily the employee's account!

We're looking into if we can force the client to sign in again with their active directory credentials versus leveraging the computer's context to sign them in to our application. Is this possible to do on our end? If so, how?


ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
What authentication mechanisms do they have configured in ADFS?

Are they using Windows Authentication for Intranet users? If so, this will mean the user won't be prompted to login and ADFS will use the current Windows user's authentication context.

It sounds like ADFS should be configured to use Forms Authentication instead. ADFS will prompt the user to login even if they're logged into Windows and assuming they're not already logged into ADFS (ie they don't have an ADFS authentication cookie).

You have the option to logout the user from ADFS using SAML logout (SLO). This is initiated by calling _samlServiceProvider.InitiateSloAsync and demonstrated by our ExampleServiceProvider project. However, in a shared environment, I recommend not relying on this completely and prompting the user to close the browser to ensure all authentication sessions are closed.

There is a ForceAuthn flag that may be included with the SAML authn request sent to ADFS. This is supposed to mean the IdP will force the user to login even if they already have an authentications session with the IdP. However, not all IdPs support this and I'll have to double check if ADFS does. You can specify this flag when calling _samlServiceProvider.InitiateSsoAsync by setting SsoOptions.ForceAuthn. 

Regards
ComponentSpace Development
geoman
geoman
New Member
New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)

Group: Forum Members
Posts: 3, Visits: 31
ComponentSpace - 6/7/2021
What authentication mechanisms do they have configured in ADFS?

Are they using Windows Authentication for Intranet users? If so, this will mean the user won't be prompted to login and ADFS will use the current Windows user's authentication context.

It sounds like ADFS should be configured to use Forms Authentication instead. ADFS will prompt the user to login even if they're logged into Windows and assuming they're not already logged into ADFS (ie they don't have an ADFS authentication cookie).

You have the option to logout the user from ADFS using SAML logout (SLO). This is initiated by calling _samlServiceProvider.InitiateSloAsync and demonstrated by our ExampleServiceProvider project. However, in a shared environment, I recommend not relying on this completely and prompting the user to close the browser to ensure all authentication sessions are closed.

There is a ForceAuthn flag that may be included with the SAML authn request sent to ADFS. This is supposed to mean the IdP will force the user to login even if they already have an authentications session with the IdP. However, not all IdPs support this and I'll have to double check if ADFS does. You can specify this flag when calling _samlServiceProvider.InitiateSsoAsync by setting SsoOptions.ForceAuthn. 

Right! Our client has not configured their ADFS with Forms Authentication, which is our problem. However, our client really doesn't want to change how they have ADFS configured. Hence, we've been attempting to figure out a way to force them to login again without asking them to tweak how they have ADFS set up.

Thank you so much for this information. This gives us a couple of ways forward!
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
You're welcome.

I don't know of a way to do this other than changing the authentication configuration in ADFS.

If you do find a way, please report back to the forum for others who may be interested.

Thanks.

Regards
ComponentSpace Development
geoman
geoman
New Member
New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)

Group: Forum Members
Posts: 3, Visits: 31
ComponentSpace - 6/8/2021
You're welcome.

I don't know of a way to do this other than changing the authentication configuration in ADFS.

If you do find a way, please report back to the forum for others who may be interested.

Thanks.

From talking with the client, they are claiming that other service providers were able to circumvent the issue we're facing by including the following in their SAML response:

<samlp:RequestedAuthnContext Comparison="exact">

<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>

</samlp:RequestedAuthnContext>

</samlp:AuthnRequest>

Do you know what this is doing? If you think this will fix our problem, is there a way to implement this with ComponentSpace's set of libraries?
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
This information may be included in the authn request by specifying the following for the PartnerIdentityProviderConfiguration in your SAML configuration (eg appsettings.json).


"RequestedAuthnContextComparison": "exact",
"RequestedAuthnContexts": [ "urn:oasis:names:tc:SAML:2.0:ac:classes: PasswordProtectedTransport" ],



Ignore the space preceding "PasswordProtectedTransport".

Let me know how that goes. Thanks.

Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 1 query. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search