privacyIDEA-ADFSProvider icon indicating copy to clipboard operation
privacyIDEA-ADFSProvider copied to clipboard

Published 20 hours ago verified publisher icon sbidy

ADFS interaction problems with Server 2019 / ADFSv4

Open sbidy opened this issue 4 years ago • 5 comments

Derived Issue @adildhar:

The ideaprovacy-adfsprovider plugin is configured as additional authentication provider for adfs. The Adfs is level 4 with Windows 2019. We have configured admin credentials in config.xml for challenge/response and are using for otp sms token. While it is working with auto-registration for users using event handler policy but in 6 out of 10 requests the username is not passed on after otp validation.

sbidy avatar Apr 28 '20 08:04 sbidy

@adildhar - can you please give some more details about the implementation?

  • Provider Version:
  • PrivacyIDEA Version:
  • Messages in the Windows Event Manger (see README):
  • PrivacyIDEA Policy definiton:

sbidy avatar Apr 28 '20 09:04 sbidy

Provider Version: 1.3.6.0 PrivacyIDEA Version: 3.3 Messages in the Windows Event Manger : triggerChallenge: The remote server returned an error: (400) Bad Request. System.Net.WebException: The remote server returned an error: (400) Bad Request. at System.Net.WebClient.UploadValues(Uri address, String method, NameValueCollection data) at privacyIDEAADFSProvider.OTPprovider.triggerChallenge(String OTPuser, String realm, String token)

An authentication provider was successfully loaded: Identifier: 'privacyIDEA-ADFSProvider', Context: 'Proxy device TLS pipeline'

PrivacyIDEA Policy definiton: Events: Validate_Check, validate_triggerChallenge Handler: Token pre 0 User_token_number: 0 Action: Enroll
TokenType: SMS

adharsp avatar Apr 28 '20 18:04 adharsp

Can you shortly explain how your workflow looks like? For my understanding it is:

  1. User logon without an SMS-OTP deployed
  2. A challenge will be triggert to the PrivacyIDEA
  3. The PrivacyIDEA Policy catches the challenge and enrolls an SMS token because the user "token number" is 0 (no token was deployed).
  4. Then the user should get the SMS because of the enrollment via policies
  5. The user takes the token and logos on with that

Logon -> Trigger -> (if user token=0) -> Enroll -> send OTP to user Is that correct? I would like to test this setup in my dev environment.

sbidy avatar Apr 29 '20 07:04 sbidy

Yes, exactly the same as explained by you. It is working as I already have user tokens generated for users. The issues seems to be from 2019 ADFS side. It doesn't trigger otp everytime. I guess we need an access policy for the relaying trust.

On Wed, Apr 29, 2020, 10:44 AM Stephan Traub [email protected] wrote:

Can you shortly explain how your workflow looks like? For my understanding it is:

  1. User logon without an SMS-OTP deployed
  2. A challenge will be triggert to the PrivacyIDEA
  3. The PrivacyIDEA Policy catches the challenge and enrolls an SMS token because the user "token number" is 0 (no token was deployed).
  4. Then the user should get the SMS because of the enrollment via policies

Logon -> Trigger -> (if user token=0) -> Enroll -> send OTP to user Is that correct? I would like to test this setup in my dev environment.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/sbidy/privacyIDEA-ADFSProvider/issues/38#issuecomment-621042594, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABAORMA47E77CV5Y3T7IE33RO7LGNANCNFSM4MSUHIBA .

adildhar avatar Apr 29 '20 08:04 adildhar

Thank you for the feedback. I'll try to reproduce this within my test environment.

If you run the provider in a non-productive test setup, you can install the 1.3.7 Debug version to readout some additional messages.

Links: Debug HowTo Debug Version

sbidy avatar Apr 30 '20 15:04 sbidy