0

I have an application that authenticates against ADFS 2 via WS-Federation. I look for a specific claim when I get the response back from ADFS and based on that claim, I am able to authorize the user into my application. I want to create an enhancement in which when a user authenticates against ADFS and comes back to my application WITHOUT the claim I require, that I redirect them back to the Identity Provider (ADFS), but this time FORCING them to provide their credentials again. I wrote my code to detect an authenticated user that is missing the claim I require and sends them back to reauthenticate, this time sending along the "Freshness" parameter (wfresh=0). I was under the impression that this would prompt the user for credentials but it seems to just reuse the original credentials which, of course, causes an infinate loop (that ADFS halts.) How can I achieve this?

My URL looks like this when I send them back to the IdP after not having the required claim:

https://somedomain.com/adfs/ls/auth/integrated/?wa=wsignin1.0&wtrealm=https%3a%2f%2fanotherdomain.com%2flogin.ashx&wreply=https%3a%2f%2fanotherdomain%2flogin.ashx&wctx=1106273&wfresh=0
4

2 回答 2

3

wfresh 集成没有意义。您始终登录到 AD 并且无法退出。对于基于表单的身份验证,情况可能有所不同。但还没有在 ADFS 中尝试过。

于 2013-06-21T04:56:55.183 回答
0

我怀疑 wfresh 的默认值为零。

你试过没有 wfresh 吗?

此外,您可以注销 - AD FS: How to Invoke a WS-Federation Sign-Out

于 2013-06-20T21:45:53.293 回答