forms based / SQL based authentication in ADFS 2.0

Question

Is there any way to add the custom authenticator for ADFS 2.0 from management console?

Or

Is it done only through modifying web.config in /adfs/ls?

 

 

 

Answer 1

ADFS is hardwired to authenticate against AD.

You can add custom attribute stores and claims provider via the MMC - but ADFS' native authentication is AD based.

---

Dominick Baier | thinktecture | http://www.leastprivilege.com

Answer 2

I am looking at the ADFS 2.0 docs on MSDN and it has the following

AD FS 2.0 can play the following roles:

• Pure identity provider security token service (IP-STS). AD FS 2.0 has no configured claim providers, except the Active Directory account store in the domain where it resides.
  
• Pure relying party STS (RP-STS). AD FS 2.0 has configured claims providers, but all local authentication methods (that is, Forms, Integrated, Basic, and TlsClient) are disabled in the Web.config file. AD FS 2.0 can only direct the user to authenticate with a trusted STS.
  
• Hybrid. AD FS 2.0 has configured claims providers, and uses a local authentication method (that is, Forms, Integrated, Basic, or TlsClient authentication is enabled in the Web.config file).

Is the hybrid case like customizing the native authentication that comes with ADFS 2.0?

Answer 3

No - this is a combination of 1 and 2. Either you auth against AD (using forms, integrated or client certs) - or you use an issued token.

---

Dominick Baier | thinktecture | http://www.leastprivilege.com

Answer 4

So, in the hybrid case, where is the forms authentication being done 

 

Is it done in the custom STS configured as claims provider in ADFS  (or) Is it in the RP ?

Answer 5

Either in ADFS (against AD) or in some other STS configured as claims provider.

---

Dominick Baier | thinktecture | http://www.leastprivilege.com

Answer 6

Hybrid. AD FS 2.0 has configured claims providers, and uses a local authentication method (that is, Forms, Integrated, Basic, or TlsClient authentication is enabled in the Web.config file).

 

In the above from the docs,  what is the local authentication it is refering to? Is it the ADFS native auth (or) custom claims provider authentication?

Answer 7

As Dominick mentioned, in the Hybrid case of AD FS 2.0, local authentication refers to authenticating users with the Active Directory account store in the domain where AD FS resides. i.e. AD FS behaves as the IP-STS.

Vani.

Answer 8

Dominick, Isn't true I can configure ADFS 2.0 in the MMC to authenticate against a SQL or any LDAP compliant data store.

Answer 9

You can create claims from AD, LDAP, SQL, or custom attribute stores. Authentication in AD FS 2 is purely AD or Issued Token.

Answer 10

I have a complete setup for SSO with ADFS. However, I am trying to activate the single log out, and my setup currently authenticate user using the windows integrated credentials. Si even if the cookies are cleared, the windows integrated credentials session is still active.

 

To fix this problem, I am trying to swith the authentication type to Forms (still using the AD). 

 

I tried to to disable the Windows authentication and enable the forms authentication in the IIS hosting my ADFS server.n I also tried to edit the web.config of ADFS to specify the "Forms" type.

I also tried to modify my claims aware application to use the forms authentication type. 

Nothing of this works. I think the following section of the web.config of my application had to be modified:

<federatedAuthentication>

        <wsFederation passiveRedirectEnabled="true" issuer="https://adfs.xxxxxxxx.com/adfs/ls/" realm="https://xxxxx.xxxxx.xxxxxx.com/" requireHttps="true" />

        <cookieHandler requireSsl="true" />

      </federatedAuthentication>

 

 

Any idea / guide / howto / information on how to use AD authentication using forms and not windows authentication ?

Answer 11

You also need to configure the web.config file for ADFS. Find the section

<

 

microsoft.identityServer.web>
<localAuthenticationTypes>
<add name="Forms" page="FormsSignIn.aspx" />
</localAuthenticationTypes>

Make sure that you only have Forms in this section, by default there will be a few others including windows integrated. This should ensure that adfs does forms authentication against AD.

Answer 12

Yes, that is one way. And you can also let the RP specify the desired authentication type. That way the ADFS server can still do other methods too.

If it is a WIF RP then in web.comfig you can add federatedAuthentication/wsFederation@authenticationType="urn:oasis:names:tc:SAML:2.0:ac:classes:Password"

See Colin in: http://social.msdn.microsoft.com/Forums/en-US/Geneva/thread/bbc469ed-ec16-4dd4-89aa-204601423c99