Issue with re-autheticating an ADFS user within a session and could not achieve that.We are using ComponentSpace and SAML2.0 and our application is configured to login via ADFS. After user logs in, we have an approval section where user has to re-enter their ADFS credentials (to comply with GMP standards). We have added a pop-up screen in our application where user can enter their ADFS credentials again. This works fine in Firefox and Chrome browsers, but in IE it is not working. It doesn’t ask for the credentials…it just opens the pop-up, authenticates automatically and approves the item.
We have to resolve this as this does not conform with GMP. We did some analysis and found that ADFS needs to be setup as Forms based authentication in order that IE also shows the username/password page instead of the Windows pop-up during log-in etc,.
In this case its working fine ,But we have an facing similar issue with another customer where they have a requirement like ,The ADFS server has both Windows authentication and Form Authentication checked. And we are almost using the same code
This is an ADFS specific configuration question. We have some ADFS knowledge but we're not ADFS experts.
I suggest asking on the Microsoft forums or, if you have no luck there, asking Microsoft directly.
Hi ComponentSpace team,
We have been advised that by our customer that we append ‘ac:classes:Password’ to the URL so that we should be able to see the login screen of ADFS instead of getting authenticated automatically. The final URL should be something like below.
https://xxxxxxxxxxxxx/adfs/ls/idpinitiatedsignon.aspx?loginToRp=https://xxxxxxxxxxxxxx/exk4mzo9ieqYJVr332&RequestedAuthenticationContext=urn:oasis:names:tc:SAML:2.0:ac:classes:Password
Currently, we have the following in our SAML.config
SingleSignOnServiceBinding=“urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST”
and the code we use for forcing authentication is as below.
public ActionResult ForceAuthenSignOn(string clientId)
{
// To login at the service provider, initiate single sign-on to the identity provider (SP-initiated SSO).
MvcApplication.Log.Info(“ForceAuthenSignOn:” + Response);
string partnerIdP = WebConfigurationManager.AppSettings[AppSettings.PartnerIdP];
string redirectUrl = WebConfigurationManager.AppSettings[“WebUrl”] + “Saml/ForceAuthenSuccess?clientId=” + clientId;
SAMLServiceProvider.InitiateSSO(Response, redirectUrl, partnerIdP, new SSOOptions() { ForceAuthn = true, AllowCreate = true });
return new EmptyResult();
}
We already have ForceAuthn = true set in the SSOOptions, but as per the URL we need to finally have, we need to be able to add ‘ac:classes:Password’ in the RequestedAuthenticationContext.
Please let us know if this can be achieved using ComponentSpace?
Regards,
Yeswanth
You can specify this in the SSOOptions.RequestedAuthnContexts property that you pass into SAMLServiceProvider.InitiateSSO.
For example:
ssoOptions.RequestAuthnContexts.Add(“urn:oasis:names:tc:SAML:2.0:ac:classes:Password”);