ADFS 3.0多重身份验证 [英] ADFS 3.0 Multi Factor Authentication

问题描述

我在ADFS 3.0（Windows Server 2012 R2）中将RSA设置为多因素身份验证。我有2个"索赔提供商信托"：

I have setup RSA as multi factor authentication in ADFS 3.0 (windows server 2012 R2). I have 2 "Claims Provider Trust":

1。 Active Directory（所以我可以使用Windows凭据登录）

1. Active Directory (so I can log in using windows credentials)

2。 Thinktecture Identity Server（因此我域外的用户可以使用提供的用户名/密码登录）

2. Thinktecture Identity Server (so users from outside of my domain can log in with provided username/passwords)

当我使用Active Directory作为身份提供者登录ADFS时，系统会提示我输入安全代码（这是预期的行为）。但是，当我使用第三方身份提供程序登录时，我已通过身份验证并重定向到依赖方应用程序。
我原以为多因素身份验证适用于所有声明提供程序信任。

When I login to the ADFS using Active Directory as identity provider I am prompted for Security Code (which is the expected behavior). However when I log in using a third party identity provider, I am authenticated and redirected to relying party application. I was expecting that multi-factor authentication would work for all Claims Provider Trusts.

在多因素身份验证全局设置中指定外部网和内部网都需要MFA。不知道为什么它不适用于Active Directory以外的身份提供者。

In Multi-Factor authentication global settings specified that MFA is required for both extranet and intranet. Any idea why it does not work for identity provider other than Active Directory.

推荐答案

这是因为AD FS MFA假定在主认证槽中使用Active Directory。如果您正在使用Thinktecture等声明提供程序，则会绕过MFA要求，因为AD不是声明提供程序。但是，你也可以在b管道上发出额外的索赔规则，说明索赔提供者是远程CP（thinktecture）的位置，他们也应该通过RSA提供商使用MFA，假设用户存在方...顺便说一句..我从未测试过这个： - ） 

That's because AD FS MFA assumes the use of Active Directory in the primary authentication slot. If you're using a claims provider such as Thinktecture then that will bypass the MFA requirement because AD is not the claims provider. However, you could also issue an additional claims rule on the RP pipeline that states where the claims provider is a remote CP(thinktecture), that they should also use MFA via the RSA provider, assuming the user exists on their side.. btw.. I've never tested this :-) 

这篇关于ADFS 3.0多重身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！