I’ve been investigating how to wire up AD to ADFS and thanks to my friend James he pointed me in the direction of multifactor authentication. The post here explains how to add in multi-factor authentication (MFA) to ADFS. There were however a couple of areas that were not clear that needed additional research.
- How to get a config file into the MFA provider
- How to send additional claims from the MFA provider
- How to customise the ADFS MFA portal pages
Adding configuration into the MFA is handled in the OnAuthenticationPipelineLoad method in the AuthenticationAdapter class. The configData parameter contains a Data property which is a file stream that allows you access to the config file. The config file can be anything you want but you need to add it when you register your plugin with ADFS. Plugin registration is doen in Powershell and you need to add the configuration as follows:
Register-AdfsAuthenticationProvider -TypeName $typeName -Name "MFA_MyProvider" -Verbose -ConfigurationFilePath c:\mfa\config.xml see here
In your OnAuthenticationPipelineLoad method you need to process the config file
public void OnAuthenticationPipelineLoad(IAuthenticationMethodConfigData configData)
{
if (configData != null)
{
if (configData.Data != null)
{
// load the config file
using (StreamReader reader = new StreamReader(configData.Data, Encoding.UTF8))
{
try
{
string config = reader.ReadToEnd();
// Read your config here
}
}
}
}
}
Sending additional claims is achieved in the TryEndAuthentication method of the AuthenticationAdapter class. It should already be returning and authentication method as an array of claims. You can add additional claims to this array and return them through the claims out parameter. You will need to add rules in ADFS to pass through these claims to the application if they are required.
Customising the MFA portal is done through PowerShell details are found here:
http://thinketg.com/adfs-3-0-logon-page-customization/ & https://technet.microsoft.com/en-us/library/dn280950.aspx