Configuration

EnableIdpInitiatedSignonPage

Applies to
Windows Server 2016
Windows Server 2019
Windows Server 2022

Users can use this feature to test sign-on to the configured Relying Party Trusts. By default, this feature is disabled (except on Windows Server 2012), the user can check the status with the following PowerShell command:

Get-AdfsProperties | fl _idpinitiatedsignon_

To enable this feature, use the following PowerShell command:

Set-AdfsProperties -EnableIdpInitiatedSignonPage $true

To check the operation of the ADFS plugin, you can open the link in the browser and perform primary authentication:

https\://{{yourDomainName}}/adfs/ls/idpinitiatedsignon.aspx

Authentication Policies

Applies to
Windows Server 2012 R2
Windows Server 2016
Windows Server 2019
Windows Server 2022

Windows Server 2016/2019/2022

Open the ADFS management console and navigate to the Authentication Methods section of your ADFS instance under AD FS > Service. The user already sees the ADFS plugin inline for IDComplete listed under Multi-factor Authentication Methods, but if not, click Edit or "Edit Multi-factor Authentication Methods..." on the right-hand side:

The San Juan Mountains are beautiful!

From here, ensure that the ADFS plugin inline for the IDComplete checkbox is enabled:

The San Juan Mountains are beautiful!

Finally, ensure that the Primary tab with the following options enabled:

The San Juan Mountains are beautiful!

Next, the user can apply the policy to individual Relying Party Trusts. Navigate to Relying Party Trusts and select the one user can edit, then click "Edit Access Control Policy..." on the right-hand side:

The San Juan Mountains are beautiful!

Now, create or choose a policy that will require users to use MFA and click Apply.

Windows Server 2012

Users can either set policies globally for all Relying Party Trusts, or individually. For global settings, open the ADFS management console navigate to the Authentication Policies section of your ADFS instance, and click the Edit button under Multi-factor Authentication > Global Settings:

The San Juan Mountains are beautiful!

Authentication Policies Overview

Check the following parameters and enable them if they are disabled:

The San Juan Mountains are beautiful! The San Juan Mountains are beautiful!

Users can also set the policies individually. Navigate to Authentication Policies > Per Relying Party Trust right-click the relevant Relying Party Trust and choose "Edit Custom Multi-factor Authentication..." or click the same option on the right-side menu.

Allow Additional Authentication as Primary

Users can also set the policies individually. Navigate to Authentication Policies > Per Relying Party Trust and right-click the relevant Relying Party Trust and choose "Edit Custom Multi-factor Authentication..." or click the same option on the right-side menu.

The San Juan Mountains are beautiful!

Allow Additional Authentication as Primary

Applies to
Windows Server 2019
Windows Server 2022

"If users are running ADFS on Windows Server 2019+, they can leverage the added benefit of using additional authentication methods as a first factor. This feature could potentially eliminate the need for passwords."

More information can be found on the Microsoft website.

To enable the behavior, users can open a PowerShell window and use the following command:

Set-AdfsGlobalAuthenticationPolicy -AllowAdditionalAuthenticationAsPrimary $true

Users can access this setting in the AD FS Management console by navigating to Service > Authentication Methods and clicking "Edit Primary Authentication Methods..." on the right-hand side. Click the checkbox marked Allow additional authentication providers as primary.

The San Juan Mountains are beautiful!

Apply the changes, then open the dialog again and ensure that only the ADFS plugin inline for IDComplete is checked for Extranet and Intranet locations:

The San Juan Mountains are beautiful!

HTTP Response Headers

Applies to
Windows Server 2019
Windows Server 2022

authID loads the plugin UI via IFrame. However, certain versions prevent content from being loaded due to a default Content Security Policy. You will need to modify the CSP to allow authID's origin. Check your existing policy with the following PowerShell command:

 Get-AdfsProperties | Select -ExpandProperty ResponseHeaders

Copy the content of the Content-Security-Policy directive, and add frame-src: https://id.authid.ai; to the value. Use the following command to propagate the changes:

Set-AdfsResponseHeaders -SetHeaderName "Content-Security-Policy" -SetHeaderValue "...; frame-src https://id.authid.ai"

Enable Paginated Sign-in

Applies to
Windows Server 2012 R2
Windows Server 2016
Windows Server 2019
Windows Server 2022

ADFS supports a new experience for logins that involves paginated sign-in. Users can enable the paginated experience using the following PowerShell command:

Set-AdfsGlobalAuthenticationPolicy -EnablePaginatedAuthenticationPages $true

More information can be found on the Microsoft website.