SGTA14
asked on
ADFS and MFA
Dear Experts,
We are running a ADFS Server 2012 R2 in combination with the Azure Microsoft multi-factor authentication Server. (It's the on-premise version of the MFA server).
We use these both servers to authenticate our users to salesforce. Right now, we say that all unregistered devices and all users coming from an external source must go through the MFA server.
Please see the screenshot attached.
The location tag isn’t working at all. So, my first question is, where can I define what the internal source is? I would like to include the internal IP-range to it.
Please note, that we are using the ADFS without a web application proxy.
My second question is, how can I register devices to adfs. Because we mainly connect to salesforce from our RDS servers. If I cloud register the rds servers to adfs, then I don’t care about the location tag.
Thanks SGTA14
We are running a ADFS Server 2012 R2 in combination with the Azure Microsoft multi-factor authentication Server. (It's the on-premise version of the MFA server).
We use these both servers to authenticate our users to salesforce. Right now, we say that all unregistered devices and all users coming from an external source must go through the MFA server.
Please see the screenshot attached.
The location tag isn’t working at all. So, my first question is, where can I define what the internal source is? I would like to include the internal IP-range to it.
Please note, that we are using the ADFS without a web application proxy.
My second question is, how can I register devices to adfs. Because we mainly connect to salesforce from our RDS servers. If I cloud register the rds servers to adfs, then I don’t care about the location tag.
Thanks SGTA14
Vasil Michev (MVP)
You need a WAP server in order to distinguish internal/external clients. Otherwise the corresponding claim (http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork ) will always have the "true" value. You might be able to distinguish based on IP (http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-ip) too, which requires you to properly populate every range.
ASKER
Can I install the WAP Server on ADFS Server or on the MFA Server?
ASKER
I would like to add the following claim rule:
http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip
But where do I define the IP range?
Bildschirmfoto-2017-05-19-um-16.55.1.png
http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip
But where do I define the IP range?
Bildschirmfoto-2017-05-19-um-16.55.1.png
ASKER
Here is the screenshot, which I mentioned in my first post.
Bildschirmfoto-2017-05-19-um-14.42.1.png
Bildschirmfoto-2017-05-19-um-14.42.1.png
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.