ADFS 4 as a Shib SP and MFA
Eric C Kool-Brown
kool at uw.edu
Tue Sep 19 18:18:12 EDT 2017
For those of you who have configured their ADFS 4 to have their campus Shib IdP as a "Claims trust provider," have you figured out a way to modify the SAML AuthnRequest?
We are running ADFS 2.x and have customized it to modify the AuthnContextClassRef value for those replying parties that require MFA. While admittedly a bit of a hack in ADFS 2.x, I've not found a way to do anything similar in ADFS 4. Has anyone else figured this out?
Jim Fox had a really cool suggestion for ADFS to issue AuthnRequest Issuer values using the relying party identifier rather than the ADFS entity ID. This means we could configure the RPs as SPs in Shib and require MFA there. I've always had a problem with the loss of context when chaining IdPs and this would avoid the issue. However, I have no idea if this is possible in ADFS 4. I've got an MS Premier Support case open on this but it is proceeding at a glacial pace which is why I am looking elsewhere for ideas.
I'd appreciate any suggestions.
Thanks,
Eric Kool-Brown
Software Engineer
University of Washington - IT Infrastructure
More information about the users
mailing list