自定义 MFA ADFS 扩展不适用于电子邮件声明

Question

I have built an MFA extension for ADFS using this guide: https://blogs.msdn.microsoft.com/jenfieldmsft/2014/03/24/build-your-own-external-authentication-provider-for-ad-fs-in-windows-server-2012-r2-walk-through-part-1/

I am trying get the incoming claim in the IAuthenticationAdapter.BeginAuthentication(Claim claim, ...) to have the e-mail of the user that is authenticating. Based on the guide, i should be able to specify in my metadata the IdentityClaims to return "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" and then i should get the e-mail.

However, my code is never hit.

Instead, i get the following error in the Event Viewer logs:

System.IO.InvalidDataException: The identity information provided does not contain a Windows account name.
   at Microsoft.IdentityServer.Web.Authentication.External.ExternalAuthenticationHandler.ProcessContext(ProtocolContext context, IAuthenticationContext authContext, IAccountStoreUserData userData)
   at Microsoft.IdentityServer.Web.Authentication.External.ExternalAuthenticationHandler.Process(ProtocolContext context)
   at Microsoft.IdentityServer.Web.Authentication.AuthenticationOptionsHandler.Process(ProtocolContext context)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

I tried specifying the relying party trusts to pass on the LDAP parameters but i am unable to access those in my code.

Any suggestions?

Answer 1

Background

We ran into this question when trying to debug this exact issue, ourselves. We were experimenting with IAuthenticationAdapterMetadata.IdentityClaims . When our adapter requested emailaddress as our input claim, ADFS threw the above exception immediately before calling BeginAuthentication .

The main issue was that our Claims Provider (Active Directory, in this case) was not configured to provide the user's email address. We discovered this with help from Microsoft's (free) Claims X-Ray service, which I highly recommend for those debugging ADFS claims issues.

Secondarily, ADFS was giving a misleading error. ADFS does not actually seem to validate the Claim value passed to BeginAuthentication . Once we resolved the main issue, there were no restrictions on the user's email address, so long as it was defined.

Solution

Note: if you have multiple Claims Provider Trusts, you may need to do this with each of them.

1. Navigate to the AD FS Management app on the relevant machine.
2. Select Claims Provider Trusts .
3. Right click the provider you want to "fix" and select Edit Claim rules...
4. Select Add Rule... and then select Send LDAP Attributes as Claims .
5. I'm assuming you should select the provider you're working on as the Attribute store for this rule. You may need to experiment if you can't.
6. Map LDAP attribute E-Mail-Addresses to claim type E-Mail Address .
7. Save the new rule.

Additional note: Only the first value in the E-Mail-Addresses array will be sent to BeginAuthentication . This seems to be a quirk of the interface, not a quirk of this solution.

Answer 2

Is it possible to parse all the available claims for the current user? In my case, I need to figure out what primary authentication method the user used before showing specific options in the custom MFA page.