Question

Force Re-authentication with ADFS

Directory Server

Updated August 18, 2022

asked on October 4, 2018

A client of ours has raised a question regarding ADFS integration with LFDS, they mentioned that when LFDS makes a SAML authentication call to ADFS, is there a way to force re-authentication everytime LFDS makes a call to ADFS after the initial connection? They have ask whether there is an attributes or claims rule we can set to enforce this, as they mention this cannot be set on the ADFS side and must be set on the relying party side during the SAML assertion. Thanks.

0 0

Answer

APPROVED ANSWER

replied on April 27, 2021 • Show version history

You do configure this on the AD FS side as a Per Relying Party Trust setting.

It's a Relying Party Trust property called AlwaysRequireAuthentication. See example below.

Because this is an AD FS configuration option, it applies to both self-hosted Laserfiche systems with LFDS as well as Laserfiche Cloud.

Set-AdfsRelyingPartyTrust -TargetName "$NameOfYourRPTrust" -AlwaysRequireAuthentication $true

Resources:

ADFS-AlwaysRequireAuthentication.png (131.29 KB)

| Download

1 0

replied on August 18, 2022

Hi Samuel,

We have a customer (ADFS on-prem with LF Cloud) who seems to be requesting the this same functionality.

Just to confirm I'm understanding this correctly, enabling AlwaysRequireAuthentication on the relaying party trust for Laserfiche will require the user to reenter their credentials if they log out of Laserfiche and attempt to log back in, even if the SSO/SAML token is still active, correct?

0 0

replied on August 18, 2022 • Show version history

Hi Robert,

That's correct. When the user attempts to log back into Laserfiche with the AD FS auth option, LFDS generates a SAML request with the entityID associated with the Relying Party Trust and sends it to AD FS. Normally, if the user still has a valid AD FS session, AD FS will send LFDS a SAML response without requiring the user to reauthenticate first. When AlwaysRequireAuthentication is enabled for the Relying Party Trust, AD FS ignores any existing SSO cookies and will always prompt the user to authenticate before returning the SAML response to LFDS.

This blurb from another site explains it nicely:

1 0

replied on August 18, 2022

Thanks Samuel!

1 0

Replies

replied on October 4, 2018

Can you give us more details on what they're concerned about? LFDS only communicates with ADFS to get a usable authentication token.

0 0

replied on October 9, 2018

Hi Miruna, I have reached out to our client to clarify what their concerns are, and this is their reply:

We currently have multiple RP in the ADFS and multiple SP in our Shibboleth. Therefore, we need the RP/SP to request reauthentication every time. The SAML attribute should be forceAuthn

We’ll check with Microsoft to see if we can force this in the ADFS server. To my understanding, for ADFS, 2FA can be disabled/enabled based on IP and User Group settings.

They will also check with Microsoft to see whether this can be forced on the ADFS server, but would like to know with LFDS as an RP, if the RP can request reauthentication every time. Thanks

0 0

replied on October 17, 2018 • Show version history

What does the customer mean by "every time"? What is the user doing when the customer would like the user to be prompted for re-authentication?

Going from a non-Laserfiche application where they have authenticated using AD FS, then going to a Laserfiche application and clicking the AD FS login button?
Going from one Laserfiche application, such as Forms, where they authenticated initially, to a different application, such as viewing a document in Web Access?

0 0

You are not allowed to follow up in this post.

Question

Question

Force Re-authentication with ADFS

Answer

Replies

Sign in to reply to this post.