locked
Custom authN provider for primary authN RRS feed

  • Question

  • Is it possible to create a custom authentication provider for the primary authentication in ADFS 3.0? If not, is there a way to bypass the primary authentication so that only the custom authentication can be used for the secondary (multi-factor) authentication? 
    Tuesday, May 10, 2016 4:42 PM

Answers

All replies

  • No - you cannot bypass the primary authentication.

    You can add a custom MFA provider.

    Otherwise write your own STS that authenticates the custom way and federate with ADFS.

    Preferably, use something like Identityserver3 and add a custom authentication add-on.

    Tuesday, May 10, 2016 7:27 PM
  • Okay, maybe I should explain my situation first. I have external users who are required to use only their smart cards (client certs) to authenticate in ADFS 3.0. So only the Certificate Authentication is enabled for the primary authentication. However, even though they all use their smart cards to authenticate, some of them don't have their accounts in AD, which makes them fail to authenticate. For these users, I need to make sure that they don't get automatically challenged (Form AuthN is not allowed) and I want to forward them to a page for provisioning their AD accounts. I was hopping that I can develop this in a custom MFA provider, but because I cannot bypass the primary authentication, my custom provider won't kick in. What's the best way to workaround this?
    Tuesday, May 10, 2016 9:07 PM
  • If you went down the federation route, you would get a Home Realm Discovery screen and the user could select where they wanted to authenticate.

    Tuesday, May 10, 2016 9:22 PM
  • Yes, I am going down the federation route. But there will be only one claim provider trust, which means there won't be a choice for the home realm discovery. I need to set up both ADFS servers: one for my company and one for the federated partner. And the federated partner's AD does not contain all the user accounts, so I'm thinking about creating a seperate web application for provisioning the new accounts. My questions: I guess I need to put the account provisioning link somewhere on my partner's ADFS, right? And how do I do that?
    Wednesday, May 11, 2016 8:43 PM
  • You can modify one of the existing links as per Customizing the AD FS Sign-in Pages or if you have JavaScript skills, refer the link on the left "Advanced Customization of AD FS Sign-in Pages".

    Wednesday, May 11, 2016 8:57 PM
  • For ADFS IT Pro questions, please post here: https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=ADFS

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Sunday, May 15, 2016 12:39 AM
    Moderator