Replies: 2 comments
-
|
Absolutely! My initial intent with this project was to get on-premises Active Directory integration and an ADFS MFA adapter so that users could register organizationally approved FIDO2 authenticators to their AD user accounts and then use those authenticators to log on through ADFS to federated applications and/or other applications behind ADFS in a one-shot manner for true, secure passwordless login experience. If you look at https://github.com/abergs/fido2-net-lib/blob/ActiveDirectory/fido2-net-lib/ActiveDirectoryStore.cs, there is the start of an implementation of this. It starts with a small schema addition to support adding a FIDO2 authenticator object as a child object, very similar to how ActiveSync devices work. When registering an authenticator on the sample app, the authenticator is associated to the user object so that the next time that authenticator object is found during a logon, the server knows who the associated user is and can process the logon accordingly. I have tested the sample to work that far, but the concept could allow for token pre-registration by administrators, user self-service add/remove of authenticators, and other help desk workflow scenarios, including things like authenticator inventory lifecycle, or allowing removal of lost/stolen authenticators or removing all authenticators of a certain type (by AAGUID for instance) if that type of authenticator has been found to be compromised or otherwise been made obsolete, or notifying or forcing users to update firmware or such. |
Beta Was this translation helpful? Give feedback.
-
|
Good starting example, questions
|
Beta Was this translation helpful? Give feedback.
-
I get a lot of emails about how this can be integrated with both on-premise AD and Azure AD.
@aseigler You have worked on this. Can we do a write-up or share some examples?
Beta Was this translation helpful? Give feedback.
All reactions