Learning “Stuff” With ADFS 2016 and Azure Functions
Andreas Helland
1

Hey Andreas. This solution looks great! I’ve managed to hack things apart to get it working on AD FS 2012 R2, but so you know, a few things appear to need work right now. A few things I’ve noticed:

  • The Claim for: Claim( “http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod",
     “http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/hardwaretoken" ) };
    …doesn’t seem to get created. That may be important further down.
  • I needed to change the DLL for Microsoft.IdentityServer.Web.dll to the 6.3.0.0 version and update all references to it.
  • The build process seems to reference the value of the Microsoft.IdentityServer.Web.dll references from the YubiKeyMFAAdapter if you only update the SRSMFAAdapter’s version. In other words, it looks to me like the SRSMFAAdapter references don’t appear to be used in the Build process?
  • Having got everything built, I’m struggling to use the JSON file properly I think. It’s not realy clear to me how your function should be referenced in that file? If I use the following, it just dsiplays the test of the JS file on the ADFS login page: 
    {
     “server”: “https://gist.github.com/ahelland/76d44ca7619b5a06e730f4488ab0e20f.js"
    }
    If I put that in a script src tag, it seems to break. Strangely, it loaded once, briefly, and then started failing. The MFA Adapter loads past the proxy step fine in these configurations, but when I call it I get this error: 
     System.UriFormatException: Invalid URI: The URI scheme is not valid.
     at System.Uri.CreateThis(String uri, Boolean dontEscape, UriKind uriKind)
     at MFAadapter.SRSMFAAdapter.BeginAuthentication(Claim identityClaim, HttpListenerRequest request, IAuthenticationContext context)
     at Microsoft.IdentityServer.Web.Authentication.External.ExternalAuthenticationHandler.Process(ProtocolContext context)
     at Microsoft.IdentityServer.Web.Authentication.AuthenticationOptionsHandler.Process(ProtocolContext context)
     at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)
    This is where I was thinking maybe this is trying to use the hardwaretoken Claim I mentioned at the top, but which doesn’t appear to be created. I wasn’t sure if this was a Claim type that exists in 2016 that is missing from 2012 R2, and if so, if I should just create it manually.

Any help you can offer with the JSON file/Claim would be much appreciated!

And for what it’s worth, It’s a testament to the quality of your work that I have been able to get this far #NotADev… :)

Like what you read? Give Tristan Watkins a round of applause.

From a quick cheer to a standing ovation, clap to show how much you enjoyed this story.