Customizing and Extending ADFS 2.0 Brian Puhl Technology Architect Microsoft Corporation SIA318.
-
Upload
dorothy-cummings -
Category
Documents
-
view
224 -
download
0
Transcript of Customizing and Extending ADFS 2.0 Brian Puhl Technology Architect Microsoft Corporation SIA318.
![Page 1: Customizing and Extending ADFS 2.0 Brian Puhl Technology Architect Microsoft Corporation SIA318.](https://reader036.fdocuments.net/reader036/viewer/2022081513/56649cef5503460f949bd9ca/html5/thumbnails/1.jpg)
![Page 2: Customizing and Extending ADFS 2.0 Brian Puhl Technology Architect Microsoft Corporation SIA318.](https://reader036.fdocuments.net/reader036/viewer/2022081513/56649cef5503460f949bd9ca/html5/thumbnails/2.jpg)
Customizing and Extending ADFS 2.0
Brian PuhlTechnology ArchitectMicrosoft Corporation
SIA318
![Page 3: Customizing and Extending ADFS 2.0 Brian Puhl Technology Architect Microsoft Corporation SIA318.](https://reader036.fdocuments.net/reader036/viewer/2022081513/56649cef5503460f949bd9ca/html5/thumbnails/3.jpg)
Session Objectives
Understand the ADFS authentication process
Identify extensibility and customization areas of ADFS
Leverage the existing ADFS pages to support mobile and strong authentication
Enable rich capabilities to meet your application and business needs
![Page 4: Customizing and Extending ADFS 2.0 Brian Puhl Technology Architect Microsoft Corporation SIA318.](https://reader036.fdocuments.net/reader036/viewer/2022081513/56649cef5503460f949bd9ca/html5/thumbnails/4.jpg)
Federated Authentication Flow
Identity Provider Application Provider
Application
Federation Service
Federation Service
Active Directory
![Page 5: Customizing and Extending ADFS 2.0 Brian Puhl Technology Architect Microsoft Corporation SIA318.](https://reader036.fdocuments.net/reader036/viewer/2022081513/56649cef5503460f949bd9ca/html5/thumbnails/5.jpg)
Federated Authentication Flow
Identity Provider Application Provider
Application
Federation Service
Federation Service
Active Directory
1. User browses to applicationa. Anonymous landing page or automatic redirect?
![Page 6: Customizing and Extending ADFS 2.0 Brian Puhl Technology Architect Microsoft Corporation SIA318.](https://reader036.fdocuments.net/reader036/viewer/2022081513/56649cef5503460f949bd9ca/html5/thumbnails/6.jpg)
Federated Authentication Flow
Identity Provider Application Provider
Application
Federation Service
Federation Service
Active Directory
1. User browses to applicationa. Anonymous landing page or automatic redirect?
2. Application redirects to federation servicea. Home Realm Discovery
![Page 7: Customizing and Extending ADFS 2.0 Brian Puhl Technology Architect Microsoft Corporation SIA318.](https://reader036.fdocuments.net/reader036/viewer/2022081513/56649cef5503460f949bd9ca/html5/thumbnails/7.jpg)
Federated Authentication Flow
Identity Provider Application Provider
Application
Federation Service
Federation Service
Active Directory
1. User browses to applicationa. Anonymous landing page or automatic redirect?
2. Application redirects to federation servicea. Home Realm Discovery
3. Redirects to IdP Federation Servicea. Sign-in against AD
![Page 8: Customizing and Extending ADFS 2.0 Brian Puhl Technology Architect Microsoft Corporation SIA318.](https://reader036.fdocuments.net/reader036/viewer/2022081513/56649cef5503460f949bd9ca/html5/thumbnails/8.jpg)
Federated Authentication Flow
Identity Provider Application Provider
Application
Federation Service
Federation Service
Active Directory
1. User browses to applicationa. Anonymous landing page or automatic redirect?
2. Application redirects to federation servicea. Home Realm Discovery
3. Redirects to IdP Federation Servicea. Sign-in against AD
4. Redirects back to Federation servicesa. Claims provider trust rulesb. Relying party rules
![Page 9: Customizing and Extending ADFS 2.0 Brian Puhl Technology Architect Microsoft Corporation SIA318.](https://reader036.fdocuments.net/reader036/viewer/2022081513/56649cef5503460f949bd9ca/html5/thumbnails/9.jpg)
Federated Authentication Flow
Identity Provider Application Provider
Application
Federation Service
Federation Service
Active Directory
1. User browses to applicationa. Anonymous landing page or automatic redirect?
2. Application redirects to federation servicea. Home Realm Discovery
3. Redirects to IdP Federation Servicea. Sign-in against AD
4. Redirects back to Federation servicesa. Claims provider trust rulesb. Relying party rules
5. Redirects to application
![Page 10: Customizing and Extending ADFS 2.0 Brian Puhl Technology Architect Microsoft Corporation SIA318.](https://reader036.fdocuments.net/reader036/viewer/2022081513/56649cef5503460f949bd9ca/html5/thumbnails/10.jpg)
Single Instance Federation Flow
Application
Federation Service
Active Directory
1. User browses to applicationa. Anonymous landing page or automatic redirect?
![Page 11: Customizing and Extending ADFS 2.0 Brian Puhl Technology Architect Microsoft Corporation SIA318.](https://reader036.fdocuments.net/reader036/viewer/2022081513/56649cef5503460f949bd9ca/html5/thumbnails/11.jpg)
Single Instance Federation Flow
Application
Federation Service
Active Directory
1. User browses to applicationa. Anonymous landing page or automatic redirect?
2. Application redirects to federation servicea. Home Realm Discovery
![Page 12: Customizing and Extending ADFS 2.0 Brian Puhl Technology Architect Microsoft Corporation SIA318.](https://reader036.fdocuments.net/reader036/viewer/2022081513/56649cef5503460f949bd9ca/html5/thumbnails/12.jpg)
Single Instance Federation Flow
Application
Federation Service
Active Directory
1. User browses to applicationa. Anonymous landing page or automatic redirect?
2. Application redirects to federation servicea. Home Realm Discovery
3. Redirects to IdP Federation Servicea. Sign-in against AD
![Page 13: Customizing and Extending ADFS 2.0 Brian Puhl Technology Architect Microsoft Corporation SIA318.](https://reader036.fdocuments.net/reader036/viewer/2022081513/56649cef5503460f949bd9ca/html5/thumbnails/13.jpg)
Single Instance Federation Flow
Application
Federation Service
Active Directory
1. User browses to applicationa. Anonymous landing page or automatic redirect?
2. Application redirects to federation servicea. Home Realm Discovery
3. Redirects to IdP Federation Servicea. Sign-in against AD
4. Redirects back to Federation servicesa. Claims provider trust rulesb. Relying party rules
![Page 14: Customizing and Extending ADFS 2.0 Brian Puhl Technology Architect Microsoft Corporation SIA318.](https://reader036.fdocuments.net/reader036/viewer/2022081513/56649cef5503460f949bd9ca/html5/thumbnails/14.jpg)
Single Instance Federation Flow
Application
Federation Service
Active Directory
1. User browses to applicationa. Anonymous landing page or automatic redirect?
2. Application redirects to federation servicea. Home Realm Discovery
3. Redirects to IdP Federation Servicea. Sign-in against AD
4. Redirects back to Federation servicesa. Claims provider trust rulesb. Relying party rules
5. Redirects to application
![Page 15: Customizing and Extending ADFS 2.0 Brian Puhl Technology Architect Microsoft Corporation SIA318.](https://reader036.fdocuments.net/reader036/viewer/2022081513/56649cef5503460f949bd9ca/html5/thumbnails/15.jpg)
Extensibility Points
Application landing page
Home Realm Discovery
Sign In Page
Relying Party Rule sets
![Page 16: Customizing and Extending ADFS 2.0 Brian Puhl Technology Architect Microsoft Corporation SIA318.](https://reader036.fdocuments.net/reader036/viewer/2022081513/56649cef5503460f949bd9ca/html5/thumbnails/16.jpg)
Scenarios for this Discussion
Improved User ExperienceWeb.configCustom ASP.Net
Home Realm DiscoveryPrinciples of HRDUsing WHR parameter
Sign In PageStrong authentication and mobile support
Application Experience
Home Realm Discovery
Strong Authentication Mobile Support
Putting it Together
![Page 17: Customizing and Extending ADFS 2.0 Brian Puhl Technology Architect Microsoft Corporation SIA318.](https://reader036.fdocuments.net/reader036/viewer/2022081513/56649cef5503460f949bd9ca/html5/thumbnails/17.jpg)
Scenarios for this Discussion
Improved User ExperienceWeb.configCustom ASP.Net
Home Realm DiscoveryPrinciples of HRDUsing WHR parameter
Sign In PageStrong authentication and mobile support
Application Experience
Home Realm Discovery
Strong Authentication Mobile Support
Putting it Together
![Page 18: Customizing and Extending ADFS 2.0 Brian Puhl Technology Architect Microsoft Corporation SIA318.](https://reader036.fdocuments.net/reader036/viewer/2022081513/56649cef5503460f949bd9ca/html5/thumbnails/18.jpg)
Important Web.Config Settings
The topmost entry in this list is the default authentication type
Integrated on the internal network Forms on the ADFS Proxy servers facing the internet
![Page 19: Customizing and Extending ADFS 2.0 Brian Puhl Technology Architect Microsoft Corporation SIA318.](https://reader036.fdocuments.net/reader036/viewer/2022081513/56649cef5503460f949bd9ca/html5/thumbnails/19.jpg)
Important Web.Config Settings
The ADFS service can only point to single pages for HomeRealmDiscovery and Error events
Default HRD cookies are enabled, and live for 30 days
![Page 20: Customizing and Extending ADFS 2.0 Brian Puhl Technology Architect Microsoft Corporation SIA318.](https://reader036.fdocuments.net/reader036/viewer/2022081513/56649cef5503460f949bd9ca/html5/thumbnails/20.jpg)
Web.Config Customizations
C:\inetpub\adfs\ls\web.config
Settings apply to all pages
Default ADFS Sign In Page
![Page 21: Customizing and Extending ADFS 2.0 Brian Puhl Technology Architect Microsoft Corporation SIA318.](https://reader036.fdocuments.net/reader036/viewer/2022081513/56649cef5503460f949bd9ca/html5/thumbnails/21.jpg)
Web.Config Customizations
C:\inetpub\adfs\ls\web.config
Settings apply to all pages
Default Home Realm Discovery Page
![Page 22: Customizing and Extending ADFS 2.0 Brian Puhl Technology Architect Microsoft Corporation SIA318.](https://reader036.fdocuments.net/reader036/viewer/2022081513/56649cef5503460f949bd9ca/html5/thumbnails/22.jpg)
Web.Config Customizations
C:\inetpub\adfs\ls\web.config
Settings apply to all pages
Default ADFS Sign In Page with custom logo
![Page 23: Customizing and Extending ADFS 2.0 Brian Puhl Technology Architect Microsoft Corporation SIA318.](https://reader036.fdocuments.net/reader036/viewer/2022081513/56649cef5503460f949bd9ca/html5/thumbnails/23.jpg)
Web.Config Customizations
C:\inetpub\adfs\ls\web.config
Settings apply to all pages
Default Home Realm Discovery Page with custom logo
![Page 24: Customizing and Extending ADFS 2.0 Brian Puhl Technology Architect Microsoft Corporation SIA318.](https://reader036.fdocuments.net/reader036/viewer/2022081513/56649cef5503460f949bd9ca/html5/thumbnails/24.jpg)
Customizing the ASP.Net PagesFormSignIn.aspx
![Page 25: Customizing and Extending ADFS 2.0 Brian Puhl Technology Architect Microsoft Corporation SIA318.](https://reader036.fdocuments.net/reader036/viewer/2022081513/56649cef5503460f949bd9ca/html5/thumbnails/25.jpg)
Customizing the ASP.Net PagesIncluding mobile detection based on the user agent string and changing the CSS of the page
![Page 26: Customizing and Extending ADFS 2.0 Brian Puhl Technology Architect Microsoft Corporation SIA318.](https://reader036.fdocuments.net/reader036/viewer/2022081513/56649cef5503460f949bd9ca/html5/thumbnails/26.jpg)
Keep Me Signed In (Remember My Username and Password)
Reduce the number of times the user must enter their passwordPage encrypts the username and password using servers certificateStores encrypted blob in cookie on device with timestampReplays credentials into page on load per policy
![Page 27: Customizing and Extending ADFS 2.0 Brian Puhl Technology Architect Microsoft Corporation SIA318.](https://reader036.fdocuments.net/reader036/viewer/2022081513/56649cef5503460f949bd9ca/html5/thumbnails/27.jpg)
Customizing the ASP.Net PagesHomeRealmDiscovery.aspx
![Page 28: Customizing and Extending ADFS 2.0 Brian Puhl Technology Architect Microsoft Corporation SIA318.](https://reader036.fdocuments.net/reader036/viewer/2022081513/56649cef5503460f949bd9ca/html5/thumbnails/28.jpg)
Customizing the ASP.Net PagesHomeRealmDiscovery.aspx with mobile detection and CSS
![Page 29: Customizing and Extending ADFS 2.0 Brian Puhl Technology Architect Microsoft Corporation SIA318.](https://reader036.fdocuments.net/reader036/viewer/2022081513/56649cef5503460f949bd9ca/html5/thumbnails/29.jpg)
The Home Realm Discovery Problems
Application teams want to leverage common infrastructure, so long as they can customize it to fit their exact needs
Requirements from the business ownersOnly show HRD options that a specific application wants
For example, “only Live ID users can access this application”
Reduce page loads and click throughsDo not render the HRD page unless required
Provide a predictable user experienceAlways show the same flows, pages, etc…
Do not let the user know they have left the applicationLook at feel must match the application experience
![Page 30: Customizing and Extending ADFS 2.0 Brian Puhl Technology Architect Microsoft Corporation SIA318.](https://reader036.fdocuments.net/reader036/viewer/2022081513/56649cef5503460f949bd9ca/html5/thumbnails/30.jpg)
Solution 1: Co-branded HRD
ASP.Net Page: HRD.aspx When service loads HRD.aspx page, check wtrealm and lookup HRD experience to display
![Page 31: Customizing and Extending ADFS 2.0 Brian Puhl Technology Architect Microsoft Corporation SIA318.](https://reader036.fdocuments.net/reader036/viewer/2022081513/56649cef5503460f949bd9ca/html5/thumbnails/31.jpg)
Solution 1: Co-branded HRD
ASP.Net Page: HRD.aspx
ASP.Net User Control (.ascx)
For each application which requires, convert their desired page from .aspx to .ascx and load into a full screen panel in the .aspx page
Note the .aspx page needs a selectWHR method calling SelectHomeRealm()
![Page 32: Customizing and Extending ADFS 2.0 Brian Puhl Technology Architect Microsoft Corporation SIA318.](https://reader036.fdocuments.net/reader036/viewer/2022081513/56649cef5503460f949bd9ca/html5/thumbnails/32.jpg)
Examples of Co-branded HRDAll of these are loaded as homerealmdiscovery.aspx
![Page 33: Customizing and Extending ADFS 2.0 Brian Puhl Technology Architect Microsoft Corporation SIA318.](https://reader036.fdocuments.net/reader036/viewer/2022081513/56649cef5503460f949bd9ca/html5/thumbnails/33.jpg)
Examples of Co-branded HRDAll of these are loaded as homerealmdiscovery.aspx
![Page 34: Customizing and Extending ADFS 2.0 Brian Puhl Technology Architect Microsoft Corporation SIA318.](https://reader036.fdocuments.net/reader036/viewer/2022081513/56649cef5503460f949bd9ca/html5/thumbnails/34.jpg)
Examples of Co-branded HRDAll of these are loaded as homerealmdiscovery.aspx
![Page 35: Customizing and Extending ADFS 2.0 Brian Puhl Technology Architect Microsoft Corporation SIA318.](https://reader036.fdocuments.net/reader036/viewer/2022081513/56649cef5503460f949bd9ca/html5/thumbnails/35.jpg)
Examples of Co-branded HRDAll of these are loaded as homerealmdiscovery.aspx
![Page 36: Customizing and Extending ADFS 2.0 Brian Puhl Technology Architect Microsoft Corporation SIA318.](https://reader036.fdocuments.net/reader036/viewer/2022081513/56649cef5503460f949bd9ca/html5/thumbnails/36.jpg)
Examples of Co-branded HRDAll of these are loaded as homerealmdiscovery.aspx
Note that this team did not want all 4 HRD options to be displayed?
That’s a problem…
![Page 37: Customizing and Extending ADFS 2.0 Brian Puhl Technology Architect Microsoft Corporation SIA318.](https://reader036.fdocuments.net/reader036/viewer/2022081513/56649cef5503460f949bd9ca/html5/thumbnails/37.jpg)
The Next HRD Problem: Cookies
![Page 38: Customizing and Extending ADFS 2.0 Brian Puhl Technology Architect Microsoft Corporation SIA318.](https://reader036.fdocuments.net/reader036/viewer/2022081513/56649cef5503460f949bd9ca/html5/thumbnails/38.jpg)
The HRD Cookies
![Page 39: Customizing and Extending ADFS 2.0 Brian Puhl Technology Architect Microsoft Corporation SIA318.](https://reader036.fdocuments.net/reader036/viewer/2022081513/56649cef5503460f949bd9ca/html5/thumbnails/39.jpg)
The HRD Cookies
![Page 40: Customizing and Extending ADFS 2.0 Brian Puhl Technology Architect Microsoft Corporation SIA318.](https://reader036.fdocuments.net/reader036/viewer/2022081513/56649cef5503460f949bd9ca/html5/thumbnails/40.jpg)
The HRD Cookies
dXJuOmZlZGVyYXRpb246TVNGVA== Base64 encoded value: urn:federation:MSFT
This is the federation service identifier for the claims provider trust partner that the HRD cookie maps to
![Page 41: Customizing and Extending ADFS 2.0 Brian Puhl Technology Architect Microsoft Corporation SIA318.](https://reader036.fdocuments.net/reader036/viewer/2022081513/56649cef5503460f949bd9ca/html5/thumbnails/41.jpg)
Solution 2: WHR and the Application Approach
Summarizing the requirements: Applications want to own the end-to-end experience completely
So let them do it!
May release of ADFS Rollup 2 includes fixes to the cookie behavior and WHR valueshttp://support.microsoft.com/kb/2681584
The new ADFS approach to HRD:We will host our default version, if you want to customize – here are the WHR parameters you need
![Page 42: Customizing and Extending ADFS 2.0 Brian Puhl Technology Architect Microsoft Corporation SIA318.](https://reader036.fdocuments.net/reader036/viewer/2022081513/56649cef5503460f949bd9ca/html5/thumbnails/42.jpg)
Solution 2: WHR and the Application Approach
![Page 43: Customizing and Extending ADFS 2.0 Brian Puhl Technology Architect Microsoft Corporation SIA318.](https://reader036.fdocuments.net/reader036/viewer/2022081513/56649cef5503460f949bd9ca/html5/thumbnails/43.jpg)
Solution 2: WHR and the Application Approach
![Page 44: Customizing and Extending ADFS 2.0 Brian Puhl Technology Architect Microsoft Corporation SIA318.](https://reader036.fdocuments.net/reader036/viewer/2022081513/56649cef5503460f949bd9ca/html5/thumbnails/44.jpg)
WHR, WTRealm – Then Wauth???
WTREALM – The identifier of the relying partyUse as the configuration key for application specific behaviors
WHR – The identifier of the claims providerUse as the configuration key for user type specific behavior
Doesn’t it make sense to use WAUTH the same way?
Yes….and no…
WAUTH parameter let’s an application specify basic, integrated, forms, or client cert authentication
![Page 45: Customizing and Extending ADFS 2.0 Brian Puhl Technology Architect Microsoft Corporation SIA318.](https://reader036.fdocuments.net/reader036/viewer/2022081513/56649cef5503460f949bd9ca/html5/thumbnails/45.jpg)
Using WAUTH to enable Mobile Devices
Mobile applications, or supporting platforms which are internal to your network but cannot do Windows Integrated Authentication
Configure the web.config file of the application as follows to require forms based authentication
![Page 46: Customizing and Extending ADFS 2.0 Brian Puhl Technology Architect Microsoft Corporation SIA318.](https://reader036.fdocuments.net/reader036/viewer/2022081513/56649cef5503460f949bd9ca/html5/thumbnails/46.jpg)
ADFS Updates for O365
October 2011 and May 2012 Rollupshttp://support.microsoft.com/kb/2607496http://support.microsoft.com/kb/2681584
Resolves some issues, adds some cool new features:
Multiple Issuer SupportClient Access PoliciesCongestion AlgorithmAdditional Performance Counters
![Page 47: Customizing and Extending ADFS 2.0 Brian Puhl Technology Architect Microsoft Corporation SIA318.](https://reader036.fdocuments.net/reader036/viewer/2022081513/56649cef5503460f949bd9ca/html5/thumbnails/47.jpg)
Claim Type Description
X-MS-Proxy Indicates that a user was auth’ed by the FS-P
X-MS-Forwarded-Client-IP IP address of the user. “Best effort”, IPv4 only.
X-MS-Client-Application Protocol used by the end client, e.g.:• Microsoft.Exchange.ActiveSync• Microsoft.Exchange.Powershell• Microsoft.Exchange.SMTP
X-MS-Client-User-Agent Device type used by an EAS client, e.g.:• Apple-iPad1C1/812.1• Apple-iPhone/704.11• SAMSUNGSPHD700/100.202• <empty>
X-MS-Endpoint-Absolute-Path Indicates requested endpoint, active vs. passive
New Claim Types
![Page 48: Customizing and Extending ADFS 2.0 Brian Puhl Technology Architect Microsoft Corporation SIA318.](https://reader036.fdocuments.net/reader036/viewer/2022081513/56649cef5503460f949bd9ca/html5/thumbnails/48.jpg)
Applying your Security Policies to the Cloud
“I want to block all Exchange online access unless the user is on Corp.”“I want to block all external access to ExO except for Exchange ActiveSync.”“I want to block all external ExO access except for executives.”“Require a certain authentication type if the user is coming from the internet”
![Page 49: Customizing and Extending ADFS 2.0 Brian Puhl Technology Architect Microsoft Corporation SIA318.](https://reader036.fdocuments.net/reader036/viewer/2022081513/56649cef5503460f949bd9ca/html5/thumbnails/49.jpg)
Applying your Security Policies to the Cloud
“I want to block all Exchange online access unless the user is on Corp.”“I want to block all external access to ExO except for Exchange ActiveSync.”“I want to block all external ExO access except for executives.”“Require a certain authentication type if the user is coming from the internet”
![Page 50: Customizing and Extending ADFS 2.0 Brian Puhl Technology Architect Microsoft Corporation SIA318.](https://reader036.fdocuments.net/reader036/viewer/2022081513/56649cef5503460f949bd9ca/html5/thumbnails/50.jpg)
Enabling 2FA for ADFS using Smartcards
Solution ApproachMap security group SID to OID in smartcard template
This is the Authentication Assurance feature in Active Directory
Include option for smartcard logon on default sign-in pageAdd Relying Party Authorization Rules to look for the SID
Combine with Client Access Policy rules from ADFS October 2011 rollup 1
Customize the error.aspx page to allow step-up authentication
Limitation – requires that smartcard is the only RP authorization policy which can result in a Deny Rule
![Page 51: Customizing and Extending ADFS 2.0 Brian Puhl Technology Architect Microsoft Corporation SIA318.](https://reader036.fdocuments.net/reader036/viewer/2022081513/56649cef5503460f949bd9ca/html5/thumbnails/51.jpg)
Why Not Just Have Apps Use WAUTH for 2FA?
![Page 52: Customizing and Extending ADFS 2.0 Brian Puhl Technology Architect Microsoft Corporation SIA318.](https://reader036.fdocuments.net/reader036/viewer/2022081513/56649cef5503460f949bd9ca/html5/thumbnails/52.jpg)
Why Not Just Have Apps Use WAUTH for 2FA?The default IE user experience does not render anything in the browser behind the credential pop-up
![Page 53: Customizing and Extending ADFS 2.0 Brian Puhl Technology Architect Microsoft Corporation SIA318.](https://reader036.fdocuments.net/reader036/viewer/2022081513/56649cef5503460f949bd9ca/html5/thumbnails/53.jpg)
Smartcard and Step-up Authentication Forms Sign-in page extended with smartcard login option
![Page 54: Customizing and Extending ADFS 2.0 Brian Puhl Technology Architect Microsoft Corporation SIA318.](https://reader036.fdocuments.net/reader036/viewer/2022081513/56649cef5503460f949bd9ca/html5/thumbnails/54.jpg)
Smartcard and Step-up Authentication If user was already signed in using password or is internal and was integrated auth with password only, then RP authorization rule throws error.aspx with access denied message
![Page 55: Customizing and Extending ADFS 2.0 Brian Puhl Technology Architect Microsoft Corporation SIA318.](https://reader036.fdocuments.net/reader036/viewer/2022081513/56649cef5503460f949bd9ca/html5/thumbnails/55.jpg)
Smartcard and Step-up Authentication The error.aspx page has 2 distinct code paths forked on “Access Denied” string
If wtrealm has a 2FA policy, and error is access denied, then present with step-up authentication
The behavior here is that the user is actually signed-out, and the “next” button requests sign-in with client cert wauth parameter
![Page 56: Customizing and Extending ADFS 2.0 Brian Puhl Technology Architect Microsoft Corporation SIA318.](https://reader036.fdocuments.net/reader036/viewer/2022081513/56649cef5503460f949bd9ca/html5/thumbnails/56.jpg)
Smartcard and Step-up Authentication The error.aspx page has 2 distinct codepaths in the single page
If wtrealm has a 2FA policy, and error is access denied, then present with step-up authentication
The behavior here is that the user is actually signed-out, and the “next” button requests sign-in with client cert wauth parameter
![Page 57: Customizing and Extending ADFS 2.0 Brian Puhl Technology Architect Microsoft Corporation SIA318.](https://reader036.fdocuments.net/reader036/viewer/2022081513/56649cef5503460f949bd9ca/html5/thumbnails/57.jpg)
Smartcard and Step-up Authentication The error.aspx page has 2 distinct codepaths in the single page
If the wtrealm does not require 2FA, or the error is not access denied, then this is a general error
![Page 58: Customizing and Extending ADFS 2.0 Brian Puhl Technology Architect Microsoft Corporation SIA318.](https://reader036.fdocuments.net/reader036/viewer/2022081513/56649cef5503460f949bd9ca/html5/thumbnails/58.jpg)
SummaryLeverage CSS and ASP.NET to deliver rich mobile experiences
Use the error.aspx page, with ADFS authorization rules and PKI to deliver strong authentication
Home Realm Discovery is best left to the applications, but remember WTREALM and co-branding techniques
It IS ABSOLUTELY POSSIBLE to meet the needs of finicky business and application teams and get the security of common authentication infrastructure with ADFS 2.0
Home Realm Discovery
Strong Authentication Mobile Support
Putting it Together
![Page 59: Customizing and Extending ADFS 2.0 Brian Puhl Technology Architect Microsoft Corporation SIA318.](https://reader036.fdocuments.net/reader036/viewer/2022081513/56649cef5503460f949bd9ca/html5/thumbnails/59.jpg)
SIA, WSV, and VIR Track Resources
DOWNLOAD Windows Server 2012 Release Candidate
microsoft.com/windowsserver
#TE(sessioncode) DOWNLOAD
Microsoft System Center 2012 Evaluation
microsoft.com/systemcenterHands-On Labs
Talk to our Experts at the TLC
![Page 60: Customizing and Extending ADFS 2.0 Brian Puhl Technology Architect Microsoft Corporation SIA318.](https://reader036.fdocuments.net/reader036/viewer/2022081513/56649cef5503460f949bd9ca/html5/thumbnails/60.jpg)
Resources
Connect. Share. Discuss.
http://europe.msteched.com
Learning
Microsoft Certification & Training Resources
www.microsoft.com/learning
TechNet
Resources for IT Professionals
http://microsoft.com/technet
Resources for Developers
http://microsoft.com/msdn
![Page 61: Customizing and Extending ADFS 2.0 Brian Puhl Technology Architect Microsoft Corporation SIA318.](https://reader036.fdocuments.net/reader036/viewer/2022081513/56649cef5503460f949bd9ca/html5/thumbnails/61.jpg)
Evaluations
http://europe.msteched.com/sessions
Submit your evals online
![Page 62: Customizing and Extending ADFS 2.0 Brian Puhl Technology Architect Microsoft Corporation SIA318.](https://reader036.fdocuments.net/reader036/viewer/2022081513/56649cef5503460f949bd9ca/html5/thumbnails/62.jpg)
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to
be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS
PRESENTATION.