Our current ADFS 2.x deployment is configured with a Shibboleth SAML claims trust provider that we use as our IdP. We've modified the home realm discovery (HRD) page code to update the wauth parameter sent to the Shib IdP when we want to force 2FA. I don't see a way to do this with ADFS 3/4 thanks to MS deciding to hide all of the HRD code in sealed binaries. The only option I see is modifying the onload.js JavaScript, but that wouldn't be secure since it executes in the user's browser rather than on the ADFS server.

Has anyone looked into this and found a per-RP way to modify the SAML claims provider request URI?



Forum info: http://www.activedir.org
Problems unsubscribing? Email admin@xxxxxxxxxxxxxxxx