Configuration
EnableIdpInitiatedSignonPage
Applies to |
---|
Windows Server 2016 |
Windows Server 2019 |
Windows Server 2022 |
Users can use this feature to test sign-on to the configured Relying Party Trusts. By default, this feature is disabled (except on Windows Server 2012), the user can check the status with the following PowerShell command:
Get-AdfsProperties | fl _idpinitiatedsignon_
To enable this feature, use the following PowerShell command:
Set-AdfsProperties -EnableIdpInitiatedSignonPage $true
To check the operation of the ADFS plugin, you can open the link in the browser and perform primary authentication:
https\://{{yourDomainName}}/adfs/ls/idpinitiatedsignon.aspx
Authentication Policies
Applies to |
---|
Windows Server 2012 R2 |
Windows Server 2016 |
Windows Server 2019 |
Windows Server 2022 |
Windows Server 2016/2019/2022
Open the ADFS management console and navigate to the Authentication Methods section of your ADFS instance under AD FS > Service. The user already sees the ADFS plugin inline for IDComplete listed under Multi-factor Authentication Methods, but if not, click Edit or "Edit Multi-factor Authentication Methods..." on the right-hand side:
From here, ensure that the ADFS plugin inline for the IDComplete checkbox is enabled:
Finally, ensure that the Primary tab with the following options enabled:
Next, the user can apply the policy to individual Relying Party Trusts. Navigate to Relying Party Trusts and select the one user can edit, then click "Edit Access Control Policy..." on the right-hand side:
Now, create or choose a policy that will require users to use MFA and click Apply.
Windows Server 2012
Users can either set policies globally for all Relying Party Trusts, or individually. For global settings, open the ADFS management console navigate to the Authentication Policies section of your ADFS instance, and click the Edit button under Multi-factor Authentication > Global Settings:
Authentication Policies Overview
Check the following parameters and enable them if they are disabled:
Users can also set the policies individually. Navigate to Authentication Policies > Per Relying Party Trust right-click the relevant Relying Party Trust and choose "Edit Custom Multi-factor Authentication..." or click the same option on the right-side menu.
Allow Additional Authentication as Primary
Users can also set the policies individually. Navigate to Authentication Policies > Per Relying Party Trust and right-click the relevant Relying Party Trust and choose "Edit Custom Multi-factor Authentication..." or click the same option on the right-side menu.
Allow Additional Authentication as Primary
Applies to |
---|
Windows Server 2019 |
Windows Server 2022 |
"If users are running ADFS on Windows Server 2019+, they can leverage the added benefit of using additional authentication methods as a first factor. This feature could potentially eliminate the need for passwords."
More information can be found on the Microsoft website.
To enable the behavior, users can open a PowerShell window and use the following command:
Set-AdfsGlobalAuthenticationPolicy -AllowAdditionalAuthenticationAsPrimary $true
Users can access this setting in the AD FS Management console by navigating to Service > Authentication Methods and clicking "Edit Primary Authentication Methods..." on the right-hand side. Click the checkbox marked Allow additional authentication providers as primary.
Apply the changes, then open the dialog again and ensure that only the ADFS plugin inline for IDComplete is checked for Extranet and Intranet locations:
HTTP Response Headers
Applies to |
---|
Windows Server 2019 |
Windows Server 2022 |
authID loads the plugin UI via IFrame. However, certain versions prevent content from being loaded due to a default Content Security Policy. You will need to modify the CSP to allow authID's origin. Check your existing policy with the following PowerShell command:
Get-AdfsProperties | Select -ExpandProperty ResponseHeaders
Copy the content of the Content-Security-Policy directive, and add frame-src: https://id.authid.ai; to the value. Use the following command to propagate the changes:
Set-AdfsResponseHeaders -SetHeaderName "Content-Security-Policy" -SetHeaderValue "...; frame-src https://id.authid.ai"
Enable Paginated Sign-in
Applies to |
---|
Windows Server 2012 R2 |
Windows Server 2016 |
Windows Server 2019 |
Windows Server 2022 |
ADFS supports a new experience for logins that involves paginated sign-in. Users can enable the paginated experience using the following PowerShell command:
Set-AdfsGlobalAuthenticationPolicy -EnablePaginatedAuthenticationPages $true
More information can be found on the Microsoft website.
Updated 10 days ago