Solved

Identity Provider initiated Sign-on

Posted on 2014-01-21
13
763 Views
Last Modified: 2015-09-29
Hi all,

I'm implementing ADFS for a third party service which doesn't support Service Provider initiated sign on. The sign-on works fine when is initiated from the IdP (ADFS).

The problem I'm facing is that when doing IdP initiated sign-on we need to expose the list of all third party trusts we have configured on ADFS, and this is not acceptable from a security point of view. Currently the page allows Anonymous authentication. Is there any way of protecting /adfs/ls/IdpInitiatedSignOn.aspx using Windows Authentication, but without impacting any Service Provider initiated sign-on?

A possible solution I thought about is to create a separate ADFS farm, which will only be used only for the particular service I require federation too, and which doesn't support SP initiated SSO.The farm will not be accessible from the internet, so satisfy the security requirement. Is this a viable solution? I could not find anywhere on the internet, anything which states that multiple farms are supported by Microsoft. I know they work (because I've implemented a similar solution), but I don't know if such topology is supported by Microsoft. Any pointer in the right direction?

Thanks
0
Comment
Question by:jimbobrocks
  • 9
  • 3
13 Comments
 
LVL 12

Expert Comment

by:piattnd
ID: 39798481
I'm not quite sure what you're asking here.  Can you elaborate a bit more?  Are you saying that by "exposing" you mean showing a dropdown list of the relying party trust name?

I actually created a piece of code that allowed you to hide relying party trusts from the drop down so the user couldn't select them from the list.  We did this so development could put in as many relying parties they wanted to without having to junk up the list.

Is that what you're looking for?
0
 

Author Comment

by:jimbobrocks
ID: 39799399
Hi Piattnd,

Yes by exposing I mean showing the relying party trust name. We already have the page customised to hide the the relying party trust, but if we need to support IdP supported sign-on, I assume the end user requires a view which shows all the parties they can use for sign-on.

So my question is, instead of hiding the list, is it possible to protect it via a form of Authentication (Windows or From authentication), so that the user needs to prove his identity before accessing the list of parties.

Let me know if you need any additional info.
0
 
LVL 12

Expert Comment

by:piattnd
ID: 39800560
Here's the solution we had setup at my previous place:

Any relying party we did NOT want to appear for user selection in the drop down list at the ADFS IDP selection screen, we appended "--" to the front of the relying party display name.  We had code on the IDP selection screen that would go through each relying party trust and only add them to the dropdown IF they did not contain "--".  We did not hide the dropdown, as we needed users to be able to initiate IDP sign in to certain locations.

I do not have access to the environment anymore to test changing the authentication on that particular page, but my guess is something will not function properly (or at least not satisfactory).

You are correct that the user will need to have access to the relying party entry in order to launch the application from the ADFS website.

Example of what we had setup:

ADFS Configuration page shows the following relying party trusts (display names):
Website1
--devWebsite2
--devWebsite3
--Website4
Website5

The IDP signon website for ADFS shows a dropdown with the following relying party trusts available for selection:
Website1
Website5

Does that sound like the solution you're looking for?
0
 
LVL 12

Expert Comment

by:piattnd
ID: 39800569
On a side note, you are indicating that you want the user to "prove their identity" before they get to the relying party screen:

If you are accessing everything internally, there is already authentication taking place.  If you want to change this authentication type, you can create a login form and enable form based authentication, but it will be quite a bit of code to ensure they cannot access any other section of the ADFS website before they authenticate.

In our environment, we wanted our users to NOT be asked for another set of credentials, because they were already logged in, so we told IE to use the current set of credentials when authenticating.  Authentication is still taking place, but it's not something the user can see.  It has it's own security flaws, sure, but that was something the company was OK dealing with.
0
 

Author Comment

by:jimbobrocks
ID: 39802354
Hi Piattnd,

Thanks for your replies. Can you point me out in the direction where I can find the code? I think your solution is the correct one, but I don't know how it can be implemented in the code.

Cheers
0
 
LVL 12

Expert Comment

by:piattnd
ID: 39805155
I'll see if I can find the specific area we changed and get back to you.
0
Too many email signature updates to deal with?

Do you feel like you are taking up all of your time constantly visiting users’ desks to make changes to email signatures? Wish you could manage all signatures from one central location, easily design them and deploy them quickly to users? Well, there is an easy way!

 
LVL 12

Expert Comment

by:piattnd
ID: 39812187
I haven't forgotten about this, still waiting for a response from a previous client/friend with the code example I did for them.
0
 

Author Comment

by:jimbobrocks
ID: 39828475
Thanks

Piattnd! Let me know if you can get the code, or at least give me some directions.
0
 
LVL 12

Expert Comment

by:piattnd
ID: 39829750
I'm working on getting the code file, but I'm pretty sure it's all done in the idpinitiatedsignon.aspx file.  The guy is supposed to send it to me this morning.  Basically, the IDPInitiatedSignOn.aspx file is the page that you see with the drop down list of your relying party trusts.  When you open that file in visual studio express web (2010 preferred), you will see the .CS (code behind) file that handles the actions for the page.

When you did your install for ADFS, did you opt for the SQL database or did you go with the windows internal database?  This particular customer was running with the windows internal, but the concept is in the CS file, you connect to the database and query the list of relying party trusts you've established.  I believe there are 2 values you can retrieve, one being the name of the relying party trust.  That is the value you want to look at and apply your logic for which relying parties you do not want to display to end users.  In my customer's case, we appended "--" to the display name, so anything that started with "--" would not be displayed.  I do recall that we ran into some issues implementing this same code from the front end ADFS server, but that page was only used for SSO requests originating outside our network (meaning the customer was at home trying to use a work resource without VPN).

I should be getting this file today, so hopefully I'll be able to post the entire example of filtering out the relying parties.  Sorry it's taking so long!
0
 
LVL 12

Accepted Solution

by:
piattnd earned 500 total points
ID: 39830035
** IMPORTANT **  Backup your original site files in case you need to reverse your changes.

In the ASPX file, you have the following bit of code, which is the drop down for the relying party list:

<asp:DropDownList ID="RelyingPartyDropDownList" DataTextField="Name" DataValueField="Id" Visible="False" runat="server"/>

Open in new window


In the .CS file, I added the following to the "Page_Init" method:

    protected void Page_Init( object sender, EventArgs e )
    {
        PopulateConditionalVisibilityControls();

        int i = 0;
        foreach (System.Data.DataRow row in RelyingParties.Rows)
        {
            string rpFriendlyName = RelyingParties.Rows[i]["Name"].ToString();
            string rpURL = RelyingParties.Rows[i]["ID"].ToString();
            if (rpFriendlyName.Contains("--"))
            {
                //do not add to dropdown
            }
            else
            {
                RelyingPartyDropDownList.Items.Insert(0, new ListItem(rpFriendlyName, rpURL));
            }
            i++;
        }

        UpdateText();
    }

Open in new window


The code checks for the presence of "--", but you can change this to whatever characters you want to check for.  If you have more than 1 ADFS server, you'll want to make sure you update the ASPX and CS files on each server so they use the same logic.

Let me know if you have any questions.  And please, back up those files prior to changes :)
0
 
LVL 12

Expert Comment

by:piattnd
ID: 39830056
Also, changes to the ASPX and CS file will NOT impact the ability for ADFS to process SSO requests, though the website portion will be down so users would not be able to go to the ADFS page and initiate an IDP sign on.
0
 
LVL 12

Expert Comment

by:piattnd
ID: 39913432
Were you able to implement or test this?
0
 

Expert Comment

by:netjammer
ID: 41016217
Hi piattnd,

Was the code edit solution you implemented performed on ADFS 2.0 or 3.0?

Thanks,
netjammer
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Suggested Solutions

Redirected folders in a windows domain can be quite useful for a number of reasons, one of them being that with redirected application data, you can give users more seamless experience when logging into different workstations.  For example, if a use…
Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now