Detecting if password needs to be changed in ADFS RRS feed

  • Question

  • I need to build functionality into ADFS to inspect a claim to determine if the user needs to change their password.  Essentially, there is a attribute in Active Directory that indicates if a user MUST change their password before accessing a system.  If this value is true I need ADFS to route the user to a different application than originally intended to change their password.  ADFS is somewhat difficult to customize since the majority of base classes are marked as internal.  It would be nice if there was a module that I could wire events to intercept the token generation but it doesn't appear so.  I've also went down the route of trying to creating a custom handler that inherits from the existing handlers but they are marked as internal. 

    Are there events that I can tie into in the Global.asax, such as PostAuthenticateRequest?  Suggesions?

    Friday, June 3, 2011 1:28 PM

All replies

  • The user cannot authenticate if the password needs to be changed.  Since there is only one error on authentication failure there is no easy way to figure out if it's because they typed their password in wrong, or if they need to change the password.

    The only way you can really do this is to enable the forms authentication page and write some custom code to call into AD and see if the password needs to be changed based on the username.  Here is an article I wrote on how to modify the forms page: http://blogs.objectsharp.com/cs/blogs/steve/archive/2011/02/22/multifactor-authentication-with-adfs-v2.aspx

    Token generation is a sealed process.  The only way you can do anything with it is to use custom rules, or a custom attribute store, and unfortunately you can't do anything remotely close to the token from within the website itself.

    Developer Security MVP | http://www.steveonsecurity.com
    Friday, June 3, 2011 3:27 PM
  • Also keep in mind that ADFS is a token service, not a user management system.
    Dominick Baier | thinktecture | http://www.leastprivilege.com
    Saturday, June 4, 2011 12:43 PM
  • Did you ever find a way to tap into any event handlers on AD FS itself? I have more of a logging/auditing requirement on AD FS, and was wondering how to approach it.. For now, i use a custom attribute store, and a rule to audit success/failure logins to a database (not perfect at all, but sorta working).

    Is there anything in global.asax that can provide relief?

    Friday, September 16, 2011 6:43 PM
  • I wasn't able to tap into the handlers.  Depending on what you need to do you I would recommend checking out an AOP (Aspect Oriented Programming) framework since you mentioned logging/auditing.  Otherwise you're limited to whatever you can do inside of the AD FS web app. 
    Monday, September 19, 2011 2:03 PM