ADFS interaction problems with Server 2019 / ADFSv4

[sbidy]

Derived Issue @adildhar:

The ideaprovacy-adfsprovider plugin is configured as additional
authentication provider for adfs. The Adfs is level 4 with Windows 2019. We
have configured admin credentials in config.xml for challenge/response and
are using for otp sms token. While it is working with auto-registration for
users using event handler policy but in 6 out of 10 requests the username
is not passed on after otp validation.

[sbidy]

@adildhar - can you please give some more details about the implementation?

• Provider Version:
• PrivacyIDEA Version:
• Messages in the Windows Event Manger (see README):
• PrivacyIDEA Policy definiton:

[adharsp]

Provider Version: 1.3.6.0
PrivacyIDEA Version: 3.3
Messages in the Windows Event Manger :
triggerChallenge: The remote server returned an error: (400) Bad Request.
System.Net.WebException: The remote server returned an error: (400) Bad Request.
at System.Net.WebClient.UploadValues(Uri address, String method, NameValueCollection data)
at privacyIDEAADFSProvider.OTPprovider.triggerChallenge(String OTPuser, String realm, String token)

An authentication provider was successfully loaded: Identifier: 'privacyIDEA-ADFSProvider', Context: 'Proxy device TLS pipeline'

PrivacyIDEA Policy definiton:
Events: Validate_Check, validate_triggerChallenge
Handler: Token pre 0
User_token_number: 0
Action: Enroll
TokenType: SMS

[sbidy]

Can you shortly explain how your workflow looks like?
For my understanding it is:

1. User logon without an SMS-OTP deployed
2. A challenge will be triggert to the PrivacyIDEA
3. The PrivacyIDEA Policy catches the challenge and enrolls an SMS token because the user "token number" is 0 (no token was deployed).
4. Then the user should get the SMS because of the enrollment via policies
5. The user takes the token and logos on with that

Logon -> Trigger -> (if user token=0) -> Enroll -> send OTP to user
Is that correct? I would like to test this setup in my dev environment.

[adildhar]

Yes, exactly the same as explained by you. It is working as I already have user tokens generated for users. The issues seems to be from 2019 ADFS side. It doesn't trigger otp everytime. I guess we need an access policy for the relaying trust.

…

On Wed, Apr 29, 2020, 10:44 AM Stephan Traub ***@***.***> wrote: Can you shortly explain how your workflow looks like? For my understanding it is: 1. User logon without an SMS-OTP deployed 2. A challenge will be triggert to the PrivacyIDEA 3. The PrivacyIDEA Policy catches the challenge and enrolls an SMS token because the user "token number" is 0 (no token was deployed). 4. Then the user should get the SMS because of the enrollment via policies Logon -> Trigger -> (if user token=0) -> Enroll -> send OTP to user Is that correct? I would like to test this setup in my dev environment. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#38 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABAORMA47E77CV5Y3T7IE33RO7LGNANCNFSM4MSUHIBA> .

[sbidy]

Thank you for the feedback. I'll try to reproduce this within my test environment.

If you run the provider in a non-productive test setup, you can install the 1.3.7 Debug version to readout some additional messages.

Links:
Debug HowTo
Debug Version