active-directoryadfsadfs3.0

ADFS MFA - Extend AD Schema for YubiKey


Our company is connecting more and more of its applications to use SAML authentication to our ADFS infrastructure and we're getting serious about implementing more Multi-Factor Authentication methods, particularly YubiKeys.

I'm going to use the coding example from HERE to write a custom MFA provider for our ADFS infrastructure (using ADFS 3.0, i.e. Windows Server 2012 R2) and have one 'bump' i haven't got a clear answer for.

For this to work properly, the User account needs to be linked to a YubiKey token ID# and storing this in AD is ideal. (I've seen a few examples where the MFA provider is actually an external web application which I don't want.)

Initially I'll use one of the User class extensionAttributes for testing but ultimately i'll create a dedicated attribute for this. Obviously this would need a schema extension which I'm comfortable doing.

What I don't know is how to read the attribute out of AD for the user who is authenticating to validate the yubikey they have used is their one (i.e. to make sure they're not using someone elses). Could anyone tell me if this is even possible?


Solution

  • And I just answered my own question:

    add this code to the AuthenticationAdapter class:

    private string GetDeviceId(string upn)
        {
            DirectoryEntry entry = new DirectoryEntry();
            DirectorySearcher mySearcher = new DirectorySearcher(entry, "(&(objectClass=user)(objectCategory=person)(userPrincipalName=" + upn + "))");
            SearchResult result = mySearcher.FindOne();
            string deviceId = (string)result.Properties["extensionAttribute10"][0];
            return deviceId;
        }