6 thoughts on “Using alternate login id without using alternate login id – part 3

  1. I liked your post but have a question on alternate login’s. In my issue we already have ADFS configured to use a custom AD User Attribute for the alt id but are now being asked to add yet another field. So with your solution can it be configured to use 3 or more fields as alternate login ID’s ?

    Like

    1. Hi Richard,

      using the way ADFS is handling alternative login id you can only define one attribute to be searched a long the ActiveDirectory anchor attribute. Technically you can build everything you like and you can create really complex SQL queries or complex java script code in the onload.js. Technically I do not use an AD attribute for the login id – I query a Database (with ADFS 2016 you could also query an LDAP) after successful AuthN. You could do something like this in SQL to check for column1 and if this is empty you could use another column as login id:

      select
      Case WHEN Column1 = ” OR Column1 IS NULL OR LEN (TRIM (Column1)) = 0
      THEN Column2
      ELSE Column1 END as ColumnName
      from TableName

      But always be aware that some internal logic in ADFS will not be used if you not use the built in alternative login id feature. For example my solution will not work with Azure MFA right out of the box. You can also workaround this issue, but also here you will not get any official support by Microsoft.


      Christian

      Like

  2. Hi Christian,

    what do you mean by “this solution will not work with Azure MFA right out of the box”? Actually, we got some issues with Azure MFA in ADFS due to the alternate login id (https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/34544287-make-azure-mfa-work-on-adfs-when-alternate-login). I though that your solution (the last part where you replace the alternate login id with the real upn) might be a way to solve this issue and keep the original claims as is.

    Like

    1. Hi Danny,

      in this very special configuration we cover in this post, ADFS is not using Alternate Login Id – but the Azure MFA AuthZ provider is working a little bit different. So just faking the input by JavaScript will not fool the Azure MFA logic. To achieve this you have to modify the Claims coming from AD (Claims provider issuance rules). This is so far away from beeing support that I will not openly cover this here 😉

      But my conclusion after so many projects with my customers I really encourage you guys to abandon ADFS for Office365/Azure AD authentication 😉

      Like

      1. Hi Christian,

        Actually, Microsoft work on my issue to finally identify the cause. Azure MFA as secondary methond in ADFS with alternate login id enabled (alternate login id mapped to mail attribute), it tries to identify the Azure AD User with the value coming from the mail attribute first. Since the user does not exist, the MFA fail and it just stop there. What I did is temporarily set the mail attribute to the same value as the upn for a test account and Azure MFA is working beautifully. So, I thought by disabling Alternate login id for everyone and using your hack to always fill the username parameter with the correct UPN will ensure I’ll be ok and I don’t have to play with the original claims rule… Is there a chance that it’s gonna work? I know Microsoft want all of us abadon ADFS, but we have a lot of apps on-premise that we want to protect with AzureMFA 😉

        Like

        1. HI Danny,

          Azure MFA auth should work with alternate Login Id configured properly in within ADFS. The MFA provider is using claims that are comming from the claims provider trust. So you have to look into modifiny the claims provider trust claim when I remember correctly. Unfortenatly I currently have no test environment to really check this – but if you enable debug logging in ADFS you should see what is going on.

          Like

Comments are closed.