MFA using IdP for conditional access M365

[Philip Brusten]

Hi

Just to confirm that we managed to integrate our Shibboleth IdP with MFA 
support to Azure AD.

The missing links were:

  - marking the IdP with MFA support: Set-MsolDomainFederationSettings 
-DomainName $dom -PreferredAuthenticationProtocol SAMLP -SupportsMfa $true

  - adding another value for SAML2AuthnContextClassRef to our strong 
authn module "http://schemas.microsoft.com/claims/multipleauthn"

We got this working either directy via SAML2.0 of via a AD FS relay via 
Ws-Fed. We will have to evaluate the pros and cons for both solutions.

Happy to share more information if needed.

Kind regards,

Philip

On 20/02/2020 17:22, Philip Brusten wrote:
> Hi
>
> has anyone integrated their Shibboleth IdP software with a custom 
> control using conditional access on MS Azure AD (requires premium p1 
> license):
>
> https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/controls#custom-controls-preview 
>
>
> (looks like OpenID connect is also involved ~ DiscoveryURL)
>
> We provide a MFA solution on our IdP and would like to integrate it 
> with M365 to avoid our users to use a 2nd solution using MS 
> Authenticator.
>
> This seems interesting as well, but not sure if this works with SAML2.0:
>
> https://docs.microsoft.com/en-us/partner-center/partner-security-requirements-mandating-mfa#issue-7-partner-has-implemented-3rd-party-mfa-which-isnt-recognized-by-azure-ad 
>
>
> ###
> please confirm with the 3rd party MFA solution provider that the MFA 
> solution cannot be configured to flow the 
> authenticationmethodsreferences claim (with value multipleauthn) to 
> Azure AD to indicate that MFA verification has been completed during 
> user authentication
> ###
>
> Is it just a matter of setting the AD FS claim 
> "https://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod" 
> with value "http://schemas.microsoft.com/claims/multipleauthn" when 
> MFA has been performed?
>
> Thx,
>
> Philip
>