Active Directory Federation Services
10 TopicsADFS SSO sign-in as different user
We have federation configured with Azure AD using ADFS with SSO enabled. This is working as expected. However, one slight issue for the admin team who are required to sign-in using different privileged credentials, different from their regular user account. Problem is ADFS SSO is automatically signing-in the user as the account logged-into Windows. E.g. 'User runs a PowerShell command --> Authentication prompt comes-up --> user enters their privileged ID (different from their regular account) --> User enter their password --> user sign-in as their regular account rather than the privileged account they used at the sign-in screen". Is there a workaround for this issue other than using a non-domain joined laptop?23KViews0likes4CommentsAzure B2C as a Claims Provider to ADFS 2016 to use with federated partners
Hi, A bit of an interesting use case here, we're looking at leveraging an Azure B2C directory as another claims provider in ADFS 2016 to access a federated parties resources over a federation trust setup with their ADFS system. I've been checking on resources and there's nothing yet that I've found that can help configure this, if it's at all possible which I'm still trying to validate. I could use an Identity Server v3 or 4 to do the job but with ADFS 2016 and Open-ID Connect support I was hoping we could leverage our existing infrastructure. A tricky one and hopefully someone's run into something similar before, thanks.Solved3.3KViews0likes3CommentsFederation Concepts
I have read and understood few thing on this subject with respect to Microsoft's offering 1. There is Windows Identity Foundation come into the picture Please answer why 2. OASIS WS-Trust for setting up Federation when Rich Application / Thick Clients involved (Apps) Please answer what/which are the protocols used and why Please answer what/which are the type of Tokens generated and why 3. OASIS WS-Federation for setting up Federation when Browser based access is required/involved (websites) Please answer what/which are the protocols used and why Please answer what/which are the type of Tokens generated and why 4. OASIS SAML for setting up Federation when Browser or Rich/Thick clients are involved Please answer what/which are the protocols used and why Please answer what/which are the type of Tokens generated and why I know the first two can issue SAML tokens also 5. When an Claims Aware Application is being developed how developer will choose what claims the application will ask for, Where's the STANDARD DEFINITION for the Claim-Types to be used 6. When the Trust is being established using ADFS Management Console or for that matter one is setting up Federation with Azure AD, Is it the Application/Relying Party who chooses what Claims it will ask for 7. Is there a STANDARD DEFINITION around this ? What-Where is it? 8. Should it not be the Choice of Account Owner considering security what as Claims i am ok with to share with Application 9. I do understand this bit of this after reading on Azure AD - OpenIDConnect and Oauth 2.0 there are scopes defined in the application which will show or ask for users' consent and only then will have access to those Account related details (allow/grant access to your Contacts, Pictures, Phone Logs etc..)913Views0likes0CommentsADFS - Unable to log on with UPN
Hi All, In our development environment we have ADFS 3.0 servers authenticating federated users. Recently, users have been unable to log on using their UPN. SamAaccountName works without issue. For information the domain and upn set up is as follows: The internal domain is childdomain.root.int.ac.uk Users exist in the child domain "childdomain.root.int.ac.uk" but have a their UPN changed to username@int.ac.uk. When signing into Office 365 or via ADFS theya re able to use their samaccountname but using the UPN gives an incorrect username or password error. We see the following error in the ADFS logs: Token validation failed. Additional Data Token Type: http://schemas.microsoft.com/ws/2006/05/identitymodel/tokens/UserName %Error message: If they attempt to use the ADFS password change page I see the following error in the logs: Password change failed for following user: Additional Data User: u1234560@int.ac.uk. Device Certificate: Server on which password change was attempted: Error details: UserNotFound Any ideas what might be causing this?14KViews0likes13CommentsAAD Connect staging mode and ADFS configuration
We are migrating AAD Connect to a new server and has installed the tool using database restore option. However, we are bit puzzled with ADFS configuration. O365 tenant is federated with ADFS. Do we need to configure ADFS settings in newly installed AAD Connect? If yes, at what point we do that: when we disable the staging mode or this is something that can be done with Staging mode enabled.4.2KViews0likes0CommentsMigration from AD FS 2012 to 2019 Prerequisites
Hi Community! We currently have AD FS 2012 R2 for hybrid identity management for our Office 365 users. And we are planning to migrate it to AD FS 2019. I am looking for the prerequisite but I cannot see a Microsoft document for 2019. I can only find for 2016. Hope someone can help me with this 🙂Solved18KViews0likes1Commentneed to clean up Federated domain
Hi Members, Good day, We have a federated domain in Azure. -> eg. fed.dom.lo.com the AD Connect was set up and it had synchronized all the users in our on-prem domain controller to the Azure. Assume we had 20k users in the specific OU, which was set for the sync. Now, the change that came in would want us to sync users which have a specific attribute set. ie, departmentName = xyz and not all. My doubts are as below, 1.What would happen to the existing users in Azure federated domain, would there be a clean up automatically done? ex, users synced are 20k, but users with attribute are just 3k. 2.How would we do a clean up on Azure domain? 3. Could we delete all the users on Azure domain and add the inbound sync rule to have the limited users show up again? or any better way to achieve this. Thank you V1.7KViews0likes1CommentHow to connect ADFS with OAuth 2.0 protocol
Current environment information Server OS Version: Windows Server 2012 R2 ADFS was installed. I can not create an OAuth 2.0 authentication request after ADFS client added. I use this url:(This domain is for internal network access only, because firewall is running to filter tcp 80/443 port by china telecom government security policy limit) https://adfs.dingplace.com/adfs/oauth2/authorize?client_id=wifidog_authportal&response_type=code&redirect_uri=http%3A%2F%2F172.20.1.6%3A8080%2F~dingstudio%2FwebAuth%2FadfsLogin.php&scope=openid&state= to request authentication, but ADFS redirect my request to an error page and take some error description. How can make the ADFS work correctly, and where is ADFS' s resource application program interface ? Before ADFS, my single sign on solution is CAS or myself auth server. I want a solution to help me.1.9KViews1like0CommentsMultiple federated accounts cannot login to Outlook Desktop
Environment: AD FS on-prem Exchange Online Hybrid Client: Domain bound Windows 10 Office 2016 On client machine, user is setup with his mailbox in Outlook. User also requires to add additional mailbox in their Outlook. When we try to add another account, it does not prompt for credentials and adds the account in Outlook right away. This is happening because user is logged into machine with his AD account and AD FS uses those credentials and skips the authentication window even if we are trying to setup a new account. How can this situation be handled and user can be allowed to setup another account in their Outlook?2.4KViews0likes6CommentsAD FS - Banned IP question
Azure Active Directory Connect Health | AD FS services question here. I've added some malicious IPs to AD FS Banned IP list, but still my Azure AD Sign in's log registers connection attempts from these IPs with error code 50126 (The user was not able to sign in because the user did not enter the right credentials). That is the same error code as before adding the IP to Banned IP list. Is this normal ? We use AD FS for authenticating to O365/AzureAD. Also use AD FS health for monitoring and securing purposes. I would like to block malicious IPs from accessing ADFS and even attempting to authenticate. I thought I could use AD FS - Banned IP, but maybe that is not the case? Another strange detail about this is that the login attempts from malicious IPs seen in Azure AD is not registered in ADFS/Security logs in event viewer on ADFS server. Appreciate any feedback.. BR-Ruslan958Views0likes0Comments