cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
192
Views
1
Helpful
4
Replies

ADFS Access Control Policy versus Duo Group Policy

bjames
Level 5
Level 5

Hi,

 

In working with a client for the setup of ADFS with Duo MFA I had a question about where Duo's Policy takes over versus Microsoft ADFS policy in relation to Groups. In the setup docs it talks about Setting the ADFS Access Control Policy to set the groups that must use ADFS with MFA. I wanted to know if we setup an application policy for a Duo which one is the master policy and can their be overlap or contention?

Example: We will be using a Group Policy in Duo for MFA to require enrollment, but does this supersede the ADFS Access Control policy, or the Relying Trust policy?

 

Just trying to understand where each policy comes into play during the authentication and MFA context?

 

Thanks in advance, and let me know if I am not being clear enough.

Cheers

4 Replies 4

DuoKristina
Cisco Employee
Cisco Employee

Duo policies and AD FS policy are totally independent and therefore can both apply.

Setting a group policy in AD FS means that members of that group receive the multipleauthn claim requirement in AD FS. That is what determines if a user gets redirected to Duo (or another configured MFA provider in AD FS) or not. AD FS does not know if a given user is enrolled in Duo or not.

Once a user gets redirected to Duo for MFA, that is when Duo policies for the user will get evaluated, and in your proposed config an unenrolled user would be made to enroll in Duo, and then complete MFA in Duo, and then gets redirected back to AD FS to complete satisfying the multipleauthn requirement that AD FS policy enforced for that user+application.

Edited to add example...

look at this AD FS authentication rule command:

Set-AdfsRelyingPartyTrust -targetname "Microsoft Office 365 Identity Platform" -additionalauthenticationrules 'exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path", Value =~ "(/adfs/ls)|(/adfs/oauth2)"])=>issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value = "http://schemas.microsoft.com/claims/multipleauthn");'

It's saying:

1. When a user signing in to M365 RP via this AD FS server
2. access a path that contains /adfs/ls or /adfs/oauth2
3. then AD FS should issue a claim for an additional auth method
4. which is the multipleauthn claim

If you enabled AD FS trace logging and watched the output of the user logging in, you'd see a series of events evntually in the extremely verbose output:

multipleauthn auth method claim

ClaimType	http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod	Value	http://schemas.microsoft.com/claims/multipleauthn	ValueType	http://www.w3.org/2001/XMLSchema#string	Issuer	LOCAL AUTHORITY	OriginalIssuer	LOCAL AUTHORITY



co**I޳\LtT&
!޳\xᆕ{L]&;4H!_}_-WAxmClaimType	http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod	Value	http://schemas.microsoft.com/claims/multipleauthn	ValueType	http://www.w3.org/2001/XMLSchema#string	Issuer	LOCAL AUTHORITY	OriginalIssuer	LOCAL AUTHORITY

MFA required

s**J޳\LtT&
!p޳\xᆕ{L]&;4I!_}_-WAx7[7[E[UwGRAMjIhttp://schemas.microsoft.com/ActiveDirectoryFederationServices/2.0/Events	51**K޳\LtT&
!޳\xᆕ{L]&;4J!_}_-WAx̺	        Additional authentication required triggered by additional auth policy rules.70**XL޳\LtT&
u!޳\xᆕ{L]&;4K!_}_-WAx̺	^        EXIT: RequiresSecondStageAuthentication94-1X**(M޳\LtT&
G!޳\xᆕ{L]&;4L!_}_-WAx̺	0      MFA Claim count: 0420(**PN޳\LtT&
q!޳\xᆕ{L]&;4M!_}_-WAx̺	Z      Providers in trace: FormsAuthentication42P**O%޳\LtT&
!޳\xᆕ{L]&;4N!_}_-WAx̺	      Second stage authDomain: AuthenticationMethods:

what's the mfa provider on this particular AD FS server? Only the Duo adapter is installed (but it is possible to have mutliple options enabled for secondary auth on the AD FS server and the user would get to choose which one to use)

  http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/unspecified

ProviderAuthInfoList: 

  DuoAdfsAdapter

UseProviderAuthInfoList: True

finished evaluating policy; now do it

!޳\xᆕ{L]&;4P!_}_-WAx̺	    Processing authHandler , Identifier = Options. The request ID is 00000000-0000-0000-f317-0080020000e2.A**HR/޳\LtT&
k!E ޳\xᆕ{L]&;4Q!_}_-WAx̺	T    Authentication method: DuoAdfsAdapter.0H**S޳\LtT&

starting duo adapter

!/޳\xᆕ{L]&;4R!_}_-WAx̺	    Entering ExternalAuthenticationHandler.Process() Identifier: DuoAdfsAdapter, ContextId: <null>1**(T޳\LtT&
I! ޳\xᆕ{L]&;4S!_}_-WAx̺	2      ENTER: PrepareTheme17(**8U޳\LtT&
U! ޳\xᆕ{L]&;4T!_}_-WAx̺	>      User's languages: 'en-us'4-108**Vע޳\LtT&
! ޳\xᆕ{L]&;4U!_}_-WAx̺	      Response culture without webcontent: English (United States), ue	**W޳\LtT&
! ע޳\xᆕ{L]&;4V!_}_-WAx̺	      Found supported culture 'English (United States)' for request's language 'en-us'.-512**(XO޳\LtT&
G! ޳\xᆕ{L]&;4W!_}_-WAx̺	0      EXIT: PrepareTheme574(**Yѣ޳\LtT&
!O޳\xᆕ{L]&;4X!_}_-WAx̺	    Beginning authentication: Anchor claim   = http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname: DOMAIN\user Identifier: DuoAdfsAdapter, ContextId: c1935422-a736-4177-a57f-1cf5114f5cd9**Z޳\LtT&
!ѣ޳\xᆕ{L]&;4Y!_}_-WAx̺	    Beginning authentication: Identity claim = http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname:DOMAIN\user Identifier: DuoAdfsAdapter, ContextId: c1935422-a736-4177-a57f-1cf5114f5cd9**[0޳\LtT&
!޳\xᆕ{L]&;4Z!_}_-WAx̺	    Verifying authentication method available for identityClaim = http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname:DOMAIN\user, Response culture LCID:1033 Identifier: DuoAdfsAdapter, ContextId: c1935422-a736-4177-a57f-1cf5114f5cd9-4ca**\w\LtT&
!0޳\xᆕ{L]&;4[!_}_-WAx̺	    Beginning authentication: identityClaim = http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname:DOMAIN\user, Response culture LCID:1033 Identifier: DuoAdfsAdapter, ContextId: c1935422-a736-4177-a57f-1cf5114f5cd9evb6**h]H\LtT&
! w\xᆕ{L]&;4\!_}_-WAx̺	t    Sign-in option 'DuoAdfsAdapter' is currently selected.Wh**`
^\LtT&
	!7H\xᆕ{L]&;4]!_}_-WAx̺	h	    Response Uri already contains the clientRequestId query parameter, so not adding it. Response Uri=https://adfs.example.com:443/adfs/ls/?login_hint=usr%40example.com&wfresh=0&wauth=http%3a%2f%2fschemas.microsoft.com%2fws%2f2008%2f06%2fidentity%2fauthenticationmethod%2fpassword&client-request-id=9586e178-7b8c-4ca7-9fa9-1b885d26f13b&username=user%40example.com&wa=wsignin1.0&wtrealm=urn%3afederation%3aMicrosoftOnline&wctx=LoginOptions%3D3%26estsredirect%3d2%26estsrequest%3drQIIAY1Rv5fKndnHhArJ1gY8RV-QM6vPfp-_T0Se-95SUkq7Ii2TRZAcpNUZGV1jXU1BCCsCGpSFWkBqxDyULIljSFElvD9SbFjWBluZz-evb6xZMPW-8-Xnn--Pqf20dATSUvxHHkSDyOGOcTaRpwu1WrEe7JnksCHvJxJPPx2CVU_q-pfQZgAcBTAbwSVg9CzLBHnbs04SyhmGCbenPZ5QsBfBcude9lz9Ep8cA9pCdCgfF9138jBuauwu1Ob0bmg8Od_mDeczN4aTJCLN7y7anl9RK7bsSW9wjqu3rbRFpkDbVY9zc13OlB0jGYAR8yY2JmGDmkPYnN4XZi7d0PcV89sBA8vTPa3ubmUPVHO0di1YmiaZjZw1NXxpnHKXPlbNRoShzs79NPYjFbPe5_E8EiD07yl0tCuVAB1dwNAIVWqXSxDCq5au5vHrwvZInu6es_VbbWfnu18uMruZA7LtTgPDYfUALnG2k_gGg2M6KU8WbobNzqI30CB6M46XQMFJPNO-st5WURHBdFt9v_Xcx9WWqcr4_uWR_dM80_0&cbcxt=&mkt=&lc=&ssoCookie=f77f969e-5b55-42af-b998-456cd305036dd0P`
**(_\LtT&
E!\xᆕ{L]&;4^!_}_-WAx̺	.    Exiting ExternalAuthenticationHandler.Process() with return value: null Identifier: DuoAdfsAdapter, ContextId: c1935422-a736-4177-a57f-1cf5114f5cd9036d(**`
\LtT&
+!6\xᆕ{L]&;4_!_}_-WAx̺	    Sending response at time: '' with StatusCode: '200' and StatusDescription: 'OK'.

then after this the user redirects to Duo prompt to complete MFA, and when the installed Duo adapter on the AD FS server process the authorization received from Duo after MFA success the multipleauthn claim is satisfied.

Duo, not DUO.

Thanks Kristina always educational.

So as I understand it, if I say an AD group must use MFA in the Access Control Policy, then it gets kicked to Duo and we've got the Allow Access in the Policy with another group set to require access, what happens?

 

Thanks

The user whose effective policy in Duo is allowing access without MFA is:
- subject to the multipleauthn AD FS requirement
- sent through the DuoAdfsAdapter
- redirected to Duo prompt
- sails through Duo prompt as an allowed user per Duo policy, (but any configured endpoint checks you might have applied in Duo get evaluated like device trust or health)
- gets redirected back to AD FS for completion of that request
- the multipleauthn claim is satisfied
- access granted and AD FS redirects the user to the relying party

The user in the other group whose effective Duo policy requires MFA has much the same experience except instead of sailing through Duo prompt they actually perform MFA.

Duo, not DUO.

bjames
Level 5
Level 5

Thank you!

Quick Links