0

My goal is to delegate authentication from my OIDC Identity Provider (using Identity Server 4) to an ADFS. In ADFS I would like to configure as well that MFA has to be used in that scenario.

According to the docs and my interpretation I created a Server application client under AD FS -> Application Groups. That definition gives me a client id and client secret which is fine since my IDP is a confidential client. Delegating works fine. The problem is now that i can not configure an authentication policy applied to that client that the user must use MFA when log in.

The Web Api client definition is the only one (opposed to Native application and Server application) which allows configuring authentication policies. (Visible in the example here). I do not understand why Web API exist as possible application type. The web api will not request an access or id token from ADFS. It only has to validate tokens. But there seems to be some dependency (because of the Client-Server application templates) between Web API and Native application or Server application.

Is it possible and how can i configure a confidential client using authentication policies?

Diego Frehner
  • 101
  • 2

1 Answers1

0

Meanwhile i found a solution on stackoverflow.

Cited:

It appears that this is possible by defining two applications in the same application group:

The server application, which has a client secret in addition to client id
The WebAPI application, for which you can define an access policy.

In order to make this work, you need to assign the relying party identifier (the client id of the server application) to the WebAPI identifiers and ensure that the "Client permissions" of the WebAPI application contain the server application.

If the access policy is not evaluated successfully, the relying party (the application requesting authentication) will receive an access_denied message.

Diego Frehner
  • 101
  • 2