Reputation: 1106
Adapt/Alter ADFS Server Response
I am currently looking for a way to extend / alter the behavior of ADFS 4.0 (2016) in order to fulfill a special business requirments.
Our current process
- A Relying Party (either WS-FED, SAML or OAuth Service Provider) is sending an AuthnRequest to AD FS, acting as an IdP.
- The user authenticates using Forms, Windows Login or several other federated authentication providers.
- With claim rules, information such es given name, surname and so on are provided. Next to this information is a special claim, we call it "redirect claim", which acts as a flag for the service provider.
- The claims are sent back to the request Relying Party. The requesting application needs to stop the authentication process and redirect to the given address, because of that "redirect claim".
- After the user has been redirected to the given address, he needs complete the task on the redirected page (i.e. profile selection, Terms of Use,...)
- After that, the user has been redirected back to the requesting application and re-starts the authentication process automatically.
- The second authentication process will hand out a complete authentication response without that redirect claim and user interaction because of Single Sign On (SSO).
Note: The redirect claim is provided in cases as "the user needs to select a profile, before the authentication is completed or Terms of Use might have been changed and the user needs to apply again and many other use cases". Unfortunately, we can't get rid of that user interaction in the middle of the authentication process.
The pain
This process works in general, but it requires all the service providers to respect that certain claim in their workflow.
As we have currently approximately 300 applications and lots of them were written by 3rd party companies, it requires a lot of information, adoptions by all the different vendors in their products.
Alternative future process
We would like the ADFS to behave / react directly on certain claims in order to directly redirect to the request page. We are looking for any kind of method to extend the behavior.
Ideally something "out of the box" feature. But also, some "hacky" alternative. We thought about a (custom written) transparent proxy, that intercepts AD FS responses and looks for that redirect claim.
We also thought about an OAuth2 proxy, written in C#, but there is a lot of work in order to comply with the OAuth protocol such as SLO (not so much SSO, as those calls are forwarded to the ADFS anyways), IdP configuration (.well-known data)
Maybe AD FS provides a kind of a request/response filter?
Maybe some software like this already exits and is easy to adapt (such as keycloak). Preferably in C#.
What we have tried so far
There is a possibility to extend the login behavior with ADFS in some way, by writing an custom MFA provider: https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/development/ad-fs-build-custom-auth-method
The problem with that is, that it is either handeld only on the first sign-in in a chain of multiple sign-ins in different applications because of SSO. When disabling SSO in general, the user needs to re-authenticate all the time. So this is also not working.
Ideas
So we thought about writing a custom OAuth proxy in C# that acts as an IdP for service providers. From the AD FS point of view, the OAuth proxy would be a service provider.
At least for OAuth it could be a solution where the afford is manageable other than SAML where a lot of different aspects (especially encryption) would take a lot of effort.
I am open for ideas!
Upvotes: 1
Views: 36
Answers (0)
Related Questions
- ADFS as a SAML Service Provider interacting with other Relying Parties
- SAML/ADFS node.js implementation guide?
- Does ADFS 3.0 honor the Subject attribute sent in SAML Request?
- How do I simulate an ADFS IdP to facilitate the testing of my SP code
- SAML error for SSO with ADFS using passport-SAML express
- AEM and ADFS and external IDP
- WSO2 Identity Server 5.0.0 and ADFS randomly generates an error