How to intercept ADFS 2.0 authentication request

Question

Based on my reading on does ADFS 2.0 support custom authentication store, the only authentication store ADFS supports is ActiveDirectory (I was originally thought that custom attribute store would help me here, unfortunately it is not). However we are thinking to add 2 factor authentication to the ADFS not only on browser based passive profile (basically customize the login page), but also active profile (such as end point services/trust/13/UsernameMixed). The only approach I could think of is to intercept the request into the ADFS server, I heard that ADFS end points are WCF end points, however I did not see a configuration file at ADFS folder (the installation is at the c:\windows\ADFS at my 2012 server). Otherwise, I am thinking to use WCF behavior extension (maybe some other approach if you know) to intercept the request, however so far I didn't see how I could do that. I am new to ADFS/WCF, any insight on this would be highly appreciated. Maybe I am trying to attempt something which is impossible.

At this point, we don't really want to use another STS to let ADFS federate with it. It would be too big a change at customer ADFS env. Although the open source StarterSTS (http://startersts.codeplex.com/, new name is IdentityServerlink) is a great product, however it is open source and not sure how well it is tested and how reliable it would work at production deployment, if anyone knows the production deployment of StarterSTS, please let me know.

Answer 1

I don't know a way to customize the active endpoints of ADFS.

IdentityServer (formerly StarterSTS) is deployed in many production environments (up to really huge ones). So that may be an option.