Active Directory
-
Login hint for Saml based application
Provide login_hint fordwarding for ws-saml protocol and from ws-saml to ws-fed protocal
5 votes -
Force select groups to forms authentication in ADFS
Their exists a scenario with ADFS and SSO based apps (to include 365) where there is a common user logged into their PC but need to access their webmail. However it detect the user logged and and wants to leverage WIA. Current work around is to do a REGEX and push user agent string to those impacted PCs to not perform WIA and results in Forms Auth. However with Microsoft pushing Edge and Chromium going towards client hints, this bandaid is slowly loosing its adhesive.
Ideally it would be nice to specify a group and force them to forms based…
2 votes -
Build ADFS 2019 Plug-in to allow user authentication requiring Azure MFA to be bypassed when internet access is down
My company uses O365, AD FS 2016 and Azure AD, recently our internet provider had repeated outages where the AD FS servers access to the internet was compromised. This was a unavoidable outage for users on our internal network but since O365 leveraged Azure MFA in a CA policy external users could not get to O365 resources because they could not do MFA at ADFS. I want to create a plugin that checks for access to Azure MFA if it fails it places a default hardcoded claim in the token package validating MFA but raising a RIsk factor whtich will…
4 votes -
Change Get-ADFSAccountActivity to return all users in ADFS Activity database
Change Get-ADFSAccountActivity to return all users in ADFS Activity database, like supporting a -All parameter. Then users can be searched using powershell of users that have triggered lockout or failed given amount of times. Currently users have to be retrieved one by one which is tedious at best
6 votes -
Specify primary authentication method per relying party
Not being able to specify primary authentication method per relying party is something I run into all the time. Can you please fix this? More and more vendors support SAML-based authentication and ADFS but none of them have a way of requesting Certificate Authentication as a primary authentication method. I do not want to change this on a global level, because we have other relying parties which use WIA. I'm guessing you have everything you need for this already, please fix!
34 votes -
Support User preferences for using MFA as primary authentication method
Support other methods using MFA for Primary Authentication, based on what the user's preferences are (as setup in aka.ms/mfasetup)
2 votes -
ADFS + Azure SQL Managed Instances Supportability
ADFS + Azure SQL Managed Instances Supportability
Add supportability for extend AD FS in Azure using Azure SQL Managed Instance to host the database.
15 votes -
pay pal 25BSKLIM TOW KADDOURI CHOUAIB
compte 0005859947 63 touggourt30002 algeria ccp
1 vote -
Add Alert before Token Signing and Token Decryption auto renewed
My customer experienced several outage during ADFS Toke Signing and Token Decryption certificates automatically renewing. Thus , they really hope that Microsoft PG can add alert functionality , if AutoCertificateRollover is true , when those two certificates are issued automatically by system and before promoted to Primary Certificates , will send alerts
3 votes -
Have ADFS display 'last login' information when users log in using FBA
When logging in through ADFS forms-based authentication, the user is only prompted to enter their credentials, they aren't given any way to know when the last time they did so was was. Many web sites offer this feature to allow a user to know when, from where, and from which device they last logged in to they can report any anomalies to the powers that be. ADFS should have such a feature.
1 vote -
Allow AD FS to fall back to Forms-based authentication if Windows Integrated Authentication fails
Currently, if a browser-based user comes to the AD FS sign-in page, AD FS can only decide whether to use integrated authentication by looking at the browser's user agent string. However, t
There are cases where not all users arriving at the AD FS sign-in page can perform a Kerberos login - they might be within the IP range of the "internal" part of AD FS (in a split-brain DNS configuration) but the client may not be domain joined for various reasons, for example wireless users using BYOD. For these users Kerberos fails and it falls back to NTLM/Basic auth…
68 votes -
Saml <Subject> from AuthnRequest
Allow rps to specify a saml <Subject>. When the rp knows the user adfs could then pre populate the username field on the login page.
3 votes -
AD FS support for inline registration for Azure MFA
Would improve user experience a lot if AD FS would support inline user provisioning for Azure MFA. This is so inconvenient that users should do this separately, and not in app.
E.g. Microsoft Intune has this integrated in provision process.Also error message for this is not provisioned users is too general and not informative at all.
More info in paragraph "Registering users for Azure MFA with AD FS 2016"
https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-and-azure-mfa5 votes -
ADFS and Claims Rule Language Reference
we need a comprehensive syntax and semantics reference for Claims Rule Language. I know there are operators besides == ~= EXIST and such, which are not covered here. and this link is by far the most comprehensive which is available:
http://social.technet.microsoft.com/wiki/contents/articles/4792.understanding-claim-rule-language-in-ad-fs-2-0-higher.aspx10 votes -
AD FS should not require Domain Admin privileges
Right now in Windows Server 2012 R2 you are required to run present Domain Admin credentials while installing. This is not an option when AD FS and AD DS are supported by separate teams - it exposes domain admin credentials to persons which are not allowed to know them.
This was not a case for AD FS 2.0 - please remove the need of DA privileges to be entered at AD FS server.16 votes -
ADFS should support SQL Azure
Please add support to use SQL Azure as DB. Would open up some easy HA scenario deployments for ADFS.
5 votes -
join domain
Add the setting of ACL for domain join to "New-ADComputer" cmdlet.
In MMC it is possible to create an Computer AD Account and set "The following user or group can join this computer to a domain"
Would be nice to have it in New-ADComputer
5 votes -
ADFS Custom Branding of "Password Changed" page
It would be nice, if we cound put some custom text/links on the password change page that is shown to the users after they change their password.
9 votes -
AD FS should support user consent options
AD FS should support a user consent option besides the now provided admin consent only.
We'd like to use AD FS as a Federation Service with external parties, which is possible for single external targets, but not for bigger federations like InCommon, SWITCH or similar, since an admin cannot decide, which attributes a user wants to release to an service provider. Especially not, when the users (as in our case) are students and employees.
Other implementations of federatet authentication such as Shibboleth 3 or Thinktecture Identity Server 3 do support user consent. Online Authentication providers (Facebook, Live, Google, etc.) also…24 votes -
AD FS should support EntityDescriptor_s Metadata
AD FS currently only supports single Entity Metadata files, which works well for local applications, but works not for federation with InCommon, SWITCH, DFN, etc.
It would be good to see support for multi Entity Metadata files, to get a real interoperable product.19 votes
- Don't see your idea?