Presentation is loading. Please wait.

Presentation is loading. Please wait.

MFA Through ADFS University of Washington Customized its ADFS to Enable MFA Eric Kool-Brown (kool@uw.edu) Software Engineer, UW IT Identity and Access.

Published byJamie Estill Modified over 9 years ago

Similar presentations

Presentation on theme: "MFA Through ADFS University of Washington Customized its ADFS to Enable MFA Eric Kool-Brown (kool@uw.edu) Software Engineer, UW IT Identity and Access."— Presentation transcript:

1 MFA Through ADFS University of Washington Customized its ADFS to Enable MFA Eric Kool-Brown Software Engineer, UW IT Identity and Access Management

2 ADFS Auth Flow

3 Home Realm Discovery Customization
UW WebLogin (Shibboleth SAMLP) added to ADFS as second claims trust provider (CTP) ADFS 2.0 implements Home Realm Discovery through an ASP.Net web page that by default gives the user a choice of which CTP to use UW IT modified this ASP.Net page to automatically redirect to WebLogin for most Relying Parties (RPs) Several RPs requested two-factor authentication WebLogin supports MFA via Entrust tokens HRD .Net code does a URL rewrite to add the TimeSyncToken parameter for RPs that require 2-factor

4 Observations No step-up authentication – it is all or nothing per RP
Currently code modifications and XML config file need to be on each ADFS server Unknown if these modifications are possible with ADFS 3.0 A web app written to be a SAMLP service provider can request step- up auth at any point (no ADFS in this scenario) UW WebLogin must release all RP-requested attributes on every auth request; claims rules filter them per-RP Could share the UW code, unsure what the licensing would be due to the original code being owned by Microsoft

5 switch (entry.HrdAction)
{ case RpHrdActions.GotoShib: // Default action if (CheckWauthForShib(false)) SelectHomeRealm(UwShibUrn); } break; case RpHrdActions.GotoShib2Factor: if (CheckWauthForShib(true)) return; case RpHrdActions.GotoAd: // An empty string means go to AD for auth. SelectHomeRealm(""); case RpHrdActions.ShowHrdPage: PassiveIdentityProvidersDropDownList.DataSource = ClaimsProviders; PassiveIdentityProvidersDropDownList.DataBind();

6 // If Shib will be used for authentication, make sure a valid wauth parameter is included.
// For ordinary password login to Shib the wauth can either be null (not included in the params) // or be Saml2Constants.AuthenticationContextClasses.PasswordProtectedTransport. If 2-factor is // required then wauth must be Saml2Constants.AuthenticationContextClasses.TimeSyncToken. private bool CheckWauthForShib(bool require2factor) { Uri url = HttpContext.Current.Request.Url; NameValueCollection urlParamNvc = HttpUtility.ParseQueryString(url.Query); string requiredWauth = require2factor ? Saml2Constants.AuthenticationContextClasses.TimeSyncToken.ToString() : Saml2Constants.AuthenticationContextClasses.PasswordProtectedTransport.ToString(); if (urlParamNvc[Wauth] != requiredWauth && (require2factor || !string.IsNullOrEmpty(urlParamNvc[Wauth]))) LogInfo("Did not find wauth param with value {0}", requiredWauth); urlParamNvc.Set(Wauth, requiredWauth); string redirect = url.AbsolutePath + "?" + urlParamNvc; LogInfo("Redirecting to {0}", redirect); Response.Redirect(redirect, true); return false; } return true;

Download ppt "MFA Through ADFS University of Washington Customized its ADFS to Enable MFA Eric Kool-Brown (kool@uw.edu) Software Engineer, UW IT Identity and Access."

Similar presentations

Service Bus Service Bus Access Control.

Service Bus Service Bus Access Control.
CAS-NG A small enhancement to CAS 3 to provide new services.

CAS-NG A small enhancement to CAS 3 to provide new services.
steve plank “planky” microsoft Lest we forget windows azure appfab

steve plank “planky” microsoft Lest we forget windows azure appfab
 Jan Alexander Program Manager Microsoft Corporation BB43.

 Jan Alexander Program Manager Microsoft Corporation BB43.
FI-WARE Testbed Access Control temporary solution.

FI-WARE Testbed Access Control temporary solution.
ASP.NET Best Practices Dawit Wubshet Park University.

ASP.NET Best Practices Dawit Wubshet Park University.
Authentication solutions for Outlook and Office 365 Multi-factor authentication for Office 365 Outlook client futures.

Authentication solutions for Outlook and Office 365 Multi-factor authentication for Office 365 Outlook client futures.
Customizing and Extending ADFS 2.0 Brian Puhl Technology Architect Microsoft Corporation SIA318.

Customizing and Extending ADFS 2.0 Brian Puhl Technology Architect Microsoft Corporation SIA318.
Implementing and Administering AD FS

Implementing and Administering AD FS
Eric Raff. Usergroup up

Eric Raff. Usergroup up
Infocard and Eduroam Enrique de la Hoz, Diego R. L ó pez, Antonio Garc í a, Samuel Mu ñ oz.

Infocard and Eduroam Enrique de la Hoz, Diego R. L ó pez, Antonio Garc í a, Samuel Mu ñ oz.
Experimental OpenID Service for DOEGrids Summer Student Program 2008 Jan Durand ESnet 08/06/08.

Experimental OpenID Service for DOEGrids Summer Student Program 2008 Jan Durand ESnet 08/06/08.
March 15, 2011 Active Directory Federation Services 2.0 Overview InCommon Service Provider Training.

March 15, 2011 Active Directory Federation Services 2.0 Overview InCommon Service Provider Training.
Authenticating Users in an ASP.NET Application. Web Site Administration Tool From VS 2008, click Website/ ASP.Net Configuration to open Web Site Administration.

Authenticating Users in an ASP.NET Application. Web Site Administration Tool From VS 2008, click Website/ ASP.Net Configuration to open Web Site Administration.
Microsoft ASP.NET Security Venkat Chilakala Support Professional Microsoft Corporation.

Microsoft ASP.NET Security Venkat Chilakala Support Professional Microsoft Corporation.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Troubleshooting Federation, AD FS 2.0, and More…

Troubleshooting Federation, AD FS 2.0, and More…
SIM402. Kerberos, NTLM, Basic, Digest, Forms?

SIM402. Kerberos, NTLM, Basic, Digest, Forms?
Every effort has been made to make this seminar as complete and as accurate as possible but no warranty or fitness is implied. The presenter, authors,

Every effort has been made to make this seminar as complete and as accurate as possible but no warranty or fitness is implied. The presenter, authors,
Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.

Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.

Similar presentations

Ads by Google