1

Is it possible to force a specific MFA provider based on a user-agent (ideal) or IP address (less ideal) in AD FS? Alternatively, is there another free SAML IdP that would allow this? Read below for why, in case there is another option that I am missing:

I'm using AD FS 3.0 as a SAML 2.0 IdP for a cloud service used internally at a business. I have enabled MFA using integrated Windows authentication and I have also enabled certificates as a second factor.

This works great on the domain-joined desktops we deploy. Once the user is logged into Windows, they are automatically logged into the cloud service assuming they have a valid certificate. They don't have to do anything to authenticate and this is awesome.

This cloud service provides a mobile app for iOS and Android devices. The mobile app uses an embedded browser for authentication. During authentication, upon redirection to the IdP, AD FS falls back to forms-based authentication which is fine. However, when AD FS requests a client certificate, the embedded browser in these apps freezes. Thus, it is not possible to log into the apps using certificate-based authentication.

I've informed the vendor, they are able to replicate the issue and are investigating whether they can fix it, but my hopes are not high that they will be able to (at least in a timely manner).

In the mean time, I would like to provide two options: use certificates as the second factor on desktop browsers, and use a custom authentication provider (I can build this no problem) for mobile browsers.

Is this possible? The closest I can get right now is to present the user with an option of which MFA mechanism they would like to use. This isn't good enough, unfortunately, especially since users will need to do this several times per day.

Todd
  • 198
  • 2
  • 2
  • 9

1 Answers1

-1

Multi-factor authentication as a service is simply consuming the second factor from the cloud, so that your on-premises applications and cloud workloads can both use the same multi-factor authentication platform.

Azure Multi-Factor Authentication provides an additional level of authentication to prevent unauthorized access to both on-premises and cloud application. It provides three flavors:

  1. Mobile App: available on Windows phones, android and IOS devices. Within this application, you can do two things: •Software token: offline one-time password with short life time, which is a great way in case you do not have internet connectivity. •Push notification.

  2. Phone calls: you can receive a phone call prompting you to press a key to complete your authentication. This can be a land line or a mobile phone.

  3. Text messages: you will receive a text message with a verification code.

You can look for Microsoft Authenticator app option for Multi-Factor Authentication. Check details here to Enable mobile app authentication with Azure Multi-Factor Authentication Server

Mohit_Garg
  • 101
  • 1
  • I might be missing it, but I don't see how this will help in my case. I don't want desktop users to be prompted at all because the SP prompts for re-authentication on their website fairly frequently. That's why I want to use certificates on desktop browsers and custom MFA on mobile browsers and have the user not prompted to select an MFA method. Adding Azure MFA would just get me where I am now - the user has to select an MFA option, even on the desktop. – Todd Nov 17 '17 at 18:43
  • Understood. Is possible for you to leverage on-prem Microsoft System Centre Configuration Manager (SCCM) 2012 R2 deployment linked to Microsoft InTune to deliver SSL’s to mobile and external devices to use in MFA, where you are using X.509 SSLs for your second factor of authentication ? – Mohit_Garg Nov 17 '17 at 21:54
  • I can definitely deliver certificates to the mobile devices, but there are two issues with that: 1. The specific app we need to use two-factor in embeds a browser which freezes when it gets to the point on the IdP that it needs to present a certificate. 2. Android (recent versions at least) makes it too cumbersome for the user to install a certificate. It's not terribly hard, but it's also not as automatic as we would like. – Todd Nov 18 '17 at 00:56