0

I have made a custom authentication provider for AD FS MFA.

I have defined an authentication method claim in the metadata:

public string[] AuthenticationMethods
{
    get { return new string[] { "https://schemas.microsoft.com/ws/2012/12/authmethod/otp" }; }
}

I also have an TryEndAuthentication method (this is only for lab purposes, I will change the hardcoded pin once this part works):

 public IAdapterPresentation TryEndAuthentication(IAuthenticationContext context, IProofData proofData, System.Net.HttpListenerRequest request, out System.Security.Claims.Claim[] claims)
    {
        claims = null;
        IAdapterPresentation result = null;
        string pin = proofData.Properties["pin"].ToString();
        if (pin == "12345")
        {
            System.Security.Claims.Claim claim = new System.Security.Claims.Claim("https://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", "https://schemas.microsoft.com/ws/2012/12/authmethod/otp");
            claims = new System.Security.Claims.Claim[] { claim };
        }
        else
        {
            result = new AdapterPresentation("Authentication failed.", false);
        }
        return result;
    }

But when i deploy this in my AD FS it gives me this error when i sign on correctly: The Authentication provider did not return an authentication method claim

Does anyone know what went wrong?

Blem
  • 796
  • 16
  • 36
EVDS
  • 3
  • 3
  • Can you please confirm which version of AD FS you used for your adapter? – maweeras Apr 09 '20 at 12:57
  • I work with Windows Server 2019 AD FS. Do you mean that my adapter .NET framework might be incompatible with my .NET framework on my server? – EVDS Apr 09 '20 at 13:22

1 Answers1

0

I figured it out. The URI for the schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod claim should use http. Not https.

You should change below line

if (pin == "12345")
        {
            System.Security.Claims.Claim claim = new System.Security.Claims.Claim("https://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", "https://schemas.microsoft.com/ws/2012/12/authmethod/otp");
            claims = new System.Security.Claims.Claim[] { claim };
        }

to

if (pin == "12345")
        {
            System.Security.Claims.Claim claim = new System.Security.Claims.Claim("http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", "https://schemas.microsoft.com/ws/2012/12/authmethod/otp");
            claims = new System.Security.Claims.Claim[] { claim };
        }

and then it will work.

I made this same mistake when I copied the sample adapter code from https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/development/ad-fs-build-custom-auth-method

I have submitted the https://github.com/MicrosoftDocs/windowsserverdocs/pull/4165 correction on github which should get committed soon.

maweeras
  • 783
  • 4
  • 12