question

LaurentPierre-8537 avatar image
0 Votes"
LaurentPierre-8537 asked ·

ADFS 2019 multiple mfa provider selection on RP

Hi Microsoft community Would we be able with ADFS 2019 to select in claim rules (at relying party level) the preferred MFA if you have multiple providers registered. Is this really possible and how ? The idea would be to use a claim rule like this Set-AdfsRelyingPartyTrust -TargetName test –AdditionalAuthenticationRules 'exists([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value == "S-1-5-21-2462332226-1795882094-2017209951-xxxxx"]) =>issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value = "http://schemas.microsoft.com/claims/multipleauthn") && (Type = "http://schemas.microsoft.com/claims/authnmethodsproviders", Value = "mfaprovider"); here we would select the mfa provider based on a group I also understood this was stated here https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/overview/whats-new-active-directory-federation-services-windows-server in "Specify auth method for additional auth per RP" section Any input would be appreciated, thx

adfs
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

piaudonn avatar image
1 Vote"
piaudonn answered ·

Yes you can select what would be the MFA provider available for the user using conditions.

If you enforce MFA on a relying party, the user is normally prompted to pick one method. If you want to force the user to use one method over another, it is possible starting ADFS on Windows Server 2019.

Here are some example (using the ClaimXRay application)...

Example 1 - Force the selection of the CertificateAuthentication MFA provider for all users on a relying party trust.

 Set-AdfsRelyingPartyTrust -TargetName ClaimsXray -AdditionalAuthenticationRules 'c:[] =>issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value = "http://schemas.microsoft.com/claims/multipleauthn");c:[] => issue(Type = "http://schemas.microsoft.com/claims/authnmethodsproviders", Value = "CertificateAuthentication");'

Example 2 - Force the selection of the CertificateAuthentication MFA provider for users member of a group (represented here by its SID) the other user will have the choice with all MFA providers.

 Set-AdfsRelyingPartyTrust -TargetName ClaimsXray -AdditionalAuthenticationRules 'c:[] =>issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value = "http://schemas.microsoft.com/claims/multipleauthn");c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value == "S-1-5-21-608905689-872870963-3921916988-12345"] => issue(Type = "http://schemas.microsoft.com/claims/authnmethodsproviders", Value = "CertificateAuthentication");'

 

You get the gist of it I guess. If not, post here your requirement and we'll help you out with the rules.

Note that you will have to use the "legacy" authorization rules. AFAIK, you cannot use the "Access Control Policies". To disable it on a relying party, you can run the following:

 Set-AdfsRelyingPartyTrust -TargetName ClaimsXray -AccessControlPolicyName:$null


· 1 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Brilliant merci Pierre ! Tested, working like a charm I also found another article if it can help someone https://sysfc.uk/2020/03/14/adfs-associating-multiple-mfa-providers-to-active-directory-groups-groups/

1 Vote 1 · ·