MFA using IdP for conditional access M365
philip.brusten at kuleuven.be
Mon Mar 2 17:40:08 EST 2020
Just to confirm that we managed to integrate our Shibboleth IdP with MFA
support to Azure AD.
The missing links were:
- marking the IdP with MFA support: Set-MsolDomainFederationSettings
-DomainName $dom -PreferredAuthenticationProtocol SAMLP -SupportsMfa $true
- adding another value for SAML2AuthnContextClassRef to our strong
authn module "http://schemas.microsoft.com/claims/multipleauthn"
We got this working either directy via SAML2.0 of via a AD FS relay via
Ws-Fed. We will have to evaluate the pros and cons for both solutions.
Happy to share more information if needed.
On 20/02/2020 17:22, Philip Brusten wrote:
> has anyone integrated their Shibboleth IdP software with a custom
> control using conditional access on MS Azure AD (requires premium p1
> (looks like OpenID connect is also involved ~ DiscoveryURL)
> We provide a MFA solution on our IdP and would like to integrate it
> with M365 to avoid our users to use a 2nd solution using MS
> This seems interesting as well, but not sure if this works with SAML2.0:
> please confirm with the 3rd party MFA solution provider that the MFA
> solution cannot be configured to flow the
> authenticationmethodsreferences claim (with value multipleauthn) to
> Azure AD to indicate that MFA verification has been completed during
> user authentication
> Is it just a matter of setting the AD FS claim
> with value "http://schemas.microsoft.com/claims/multipleauthn" when
> MFA has been performed?
More information about the users