Summary

This document will guide you through the steps to send a claim to a relying party from ADFS, indicating that MFA was performed, when PhenixID Authentication Services is used as the claims provider.

Background

In some use cases it is required that the authentication takes place with an external claims provider, such as PhenixID Authentication Services. Some Microsoft relying parties, such as M365 or other Azure-based services, might have access rules stating that the service/rp can only be accessed using multi-factor authentication. Such relying parties look for a specific claim in the assertion to verify that ADFS has performed MFA.

System Requirements

• PhenixID Authentication Services added as a Claims Provider in ADFS
• PhenixID Authentication Services Identity Provider (Claims provider) setup with MFA method(s)

Instruction

Configure PhenixID Authentication Services SAML attribute release

1. Login to Configuration Manager
2. Navigate to the IDP used
3. Click Execution flow
4. Make sure the item property http://schemas.microsoft.com/claims/authnmethodsreferences is added with the value http://schemas.microsoft.com/claims/multipleauthn.
5. Add the property http://schemas.microsoft.com/claims/authnmethodsreferences to the list of additional attributes on the AssertionProvider.
6. Click Save

Create Passthrough claim rules

1. Open ADFS Management console
2. Navigate to the Claims Provider
3. Edit claim rules
4. Add a Passthrough rule
5. Navigate to the relying party
6. Edit claim rules
7. Add a Passthrough rule

Test

1. Browse to the RP

2. Redirect to ADFS

3. Redirect to PhenixID Authentication Services

4. Authenticate (MFA)
5. Redirect to ADFS

6. Redirect to RP (no additional MFA should be required)