MFA Through ADFS University of Washington Customized its ADFS to Enable MFA Eric Kool-Brown (kool@uw.edu) Software Engineer, UW IT Identity and Access.

Slides:



Advertisements
Similar presentations
Service Bus Service Bus Access Control.
Advertisements

CAS-NG A small enhancement to CAS 3 to provide new services.
steve plank “planky” microsoft Lest we forget windows azure appfab
 Jan Alexander Program Manager Microsoft Corporation BB43.
FI-WARE Testbed Access Control temporary solution.
ASP.NET Best Practices Dawit Wubshet Park University.
Authentication solutions for Outlook and Office 365 Multi-factor authentication for Office 365 Outlook client futures.
Customizing and Extending ADFS 2.0 Brian Puhl Technology Architect Microsoft Corporation SIA318.
Implementing and Administering AD FS
Eric Raff. Usergroup up
Infocard and Eduroam Enrique de la Hoz, Diego R. L ó pez, Antonio Garc í a, Samuel Mu ñ oz.
Experimental OpenID Service for DOEGrids Summer Student Program 2008 Jan Durand ESnet 08/06/08.
March 15, 2011 Active Directory Federation Services 2.0 Overview InCommon Service Provider Training.
Authenticating Users in an ASP.NET Application. Web Site Administration Tool From VS 2008, click Website/ ASP.Net Configuration to open Web Site Administration.
Microsoft ASP.NET Security Venkat Chilakala Support Professional Microsoft Corporation.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Troubleshooting Federation, AD FS 2.0, and More…
SIM402. Kerberos, NTLM, Basic, Digest, Forms?
Every effort has been made to make this seminar as complete and as accurate as possible but no warranty or fitness is implied. The presenter, authors,
Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.
Delivering Excellence in Software Engineering ® EPAM Systems. All rights reserved. ASP.NET Authentication.
1 ASP.NET SECURITY Presenter: Van Nguyen. 2 Introduction Security is an integral part of any Web-based application. Understanding ASP.NET security will.
August 25, SSO with Microsoft Active Directory Presented by: Craig Larrabee.
Datacenter LOB web service LOB app Partner Mobile Device.
OUC204. Recently Announced… Identity Integration Options 2 3 Identity Management Overview 1.

Remotely authenticating against the Service Framework.
Active Directory Federation Service 3.0
AJAX in ASP.NET James Crowley Developer Fusion
Solution SusQtech (Winchester, VA) SharePoint MVP since 2007 Working with SharePoint since 2001 Work on all types of deployments Dream about.
Troubleshooting Federation, AD FS 2.0, and More…
Enterprise Identity Steve Plank – Microsoft Ivor Bright – Charteris Dave Nesbitt – Oxford Computer Group.
Online Service 1. Authorization Request (Start URL) 2. Login page 3. Credentials 4. Authorization page 5. User decision 6. Authorization.
Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.
SharePoint Security Fundamentals Introduction to Claims-based Security Configuring Claims-based Security Development Opportunities.
Dr. Mustafa Cem Kasapbaşı Security in ASP.NET. Determining Security Requirements Restricted File Types.
ASP.NET The Clock Project. The ASP.NET Clock Project The ASP.NET Clock Project is the topic of Chapter 23. By completing the clock project, you will learn.
Paul Andrew. Recently Announced… Identity Integration Options 2 3 Identity Management Overview 1.
Slide 1 ASP Authentication There are basically three authentication modes Windows Passport Forms There are others through WCF You choose an authentication.
Shibboleth: An Introduction
1 Protection and Security: Shibboleth. 2 Outline What is the problem Shibboleth is trying to solve? What are the key concepts? How does the Shibboleth.
Cloud Identity & Access Control Services Cloud Computing Soup to Nuts Mike Benkovich Microsoft Corporation btlod-74.
PAPI: Simple and Ubiquitous Access to Internet Information Services JISC/CNI Conference - Edinburgh, 27 June 2002.
Adxstudio Portals Training
Securing Angular Apps Brian Noyes
13 Copyright © 2004, Oracle. All rights reserved. Adding Validation and Error Handling.
Configuring and Deploying Web Applications Lesson 7.
Linus Joyeux Valerie Alonso Managing consultantLead consultant blue-infinity (Switzerland) Active Directory Federation Services v2.
Securing Web Applications Lesson 4B / Slide 1 of 34 J2EE Web Components Pre-assessment Questions 1. Identify the correct return type returned by the doStartTag()
Using PIV Cards with NIH Login Chris Leggett NIH Login Technical Lead CIT/NIH.
Agenda  Microsoft Directory Synchronization Tool  Active Directory Federation Server  ADFS Proxy  Hybrid Features – LAB.
#SummitNow CORS 6 Nov 2013 / 14 Nov 2013 Jared Ottley / Alfresco Software.
AZURE AD Haishi DX, Agenda Basic concepts Exercise 1: Creating a new Azure AD tenant and a new user Exercise 2: Enable web app Azure AD authentication.
ADFS - Does it Still have a Place? Fitting into the EMS puzzle Frank C. Drewes III 2016 Redmond Summit | Identity.
Web application Open Platform Interface
Managing and Extending Active Directory Federation Services Brian Puhl Technology Architect Microsoft Corporation SIA318.
Microsoft Ignite /20/2017 9:04 PM
Unit 7 Learning Objectives
Agenda Introduction Security flow for a request Authentication
Introduction to Windows Azure AppFabric
Federation made simple
Migrating SharePoint Add-ins from Azure ACS to Azure AD
CAS and Web Single Sign-on at UConn
Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)
Windows Azure AppFabric
Controllers.
ACS Functionality.
SharePoint Online Authentication Patterns
Office 365 Development.
Presentation transcript:

MFA Through ADFS University of Washington Customized its ADFS to Enable MFA Eric Kool-Brown (kool@uw.edu) Software Engineer, UW IT Identity and Access Management

ADFS Auth Flow

Home Realm Discovery Customization UW WebLogin (Shibboleth SAMLP) added to ADFS as second claims trust provider (CTP) ADFS 2.0 implements Home Realm Discovery through an ASP.Net web page that by default gives the user a choice of which CTP to use UW IT modified this ASP.Net page to automatically redirect to WebLogin for most Relying Parties (RPs) Several RPs requested two-factor authentication WebLogin supports MFA via Entrust tokens HRD .Net code does a URL rewrite to add the TimeSyncToken parameter for RPs that require 2-factor

Observations No step-up authentication – it is all or nothing per RP Currently code modifications and XML config file need to be on each ADFS server Unknown if these modifications are possible with ADFS 3.0 A web app written to be a SAMLP service provider can request step- up auth at any point (no ADFS in this scenario) UW WebLogin must release all RP-requested attributes on every auth request; claims rules filter them per-RP Could share the UW code, unsure what the licensing would be due to the original code being owned by Microsoft

switch (entry.HrdAction) { case RpHrdActions.GotoShib: // Default action if (CheckWauthForShib(false)) SelectHomeRealm(UwShibUrn); } break; case RpHrdActions.GotoShib2Factor: if (CheckWauthForShib(true)) return; case RpHrdActions.GotoAd: // An empty string means go to AD for auth. SelectHomeRealm(""); case RpHrdActions.ShowHrdPage: PassiveIdentityProvidersDropDownList.DataSource = ClaimsProviders; PassiveIdentityProvidersDropDownList.DataBind();

// If Shib will be used for authentication, make sure a valid wauth parameter is included. // For ordinary password login to Shib the wauth can either be null (not included in the params) // or be Saml2Constants.AuthenticationContextClasses.PasswordProtectedTransport. If 2-factor is // required then wauth must be Saml2Constants.AuthenticationContextClasses.TimeSyncToken. private bool CheckWauthForShib(bool require2factor) { Uri url = HttpContext.Current.Request.Url; NameValueCollection urlParamNvc = HttpUtility.ParseQueryString(url.Query); string requiredWauth = require2factor ? Saml2Constants.AuthenticationContextClasses.TimeSyncToken.ToString() : Saml2Constants.AuthenticationContextClasses.PasswordProtectedTransport.ToString(); if (urlParamNvc[Wauth] != requiredWauth && (require2factor || !string.IsNullOrEmpty(urlParamNvc[Wauth]))) LogInfo("Did not find wauth param with value {0}", requiredWauth); urlParamNvc.Set(Wauth, requiredWauth); string redirect = url.AbsolutePath + "?" + urlParamNvc; LogInfo("Redirecting to {0}", redirect); Response.Redirect(redirect, true); return false; } return true;