ADFS and Shibboleth: Controlling behavior of Windows authentication

Question

We are doing SSO using ADFS and Shibboleth SP.

In a perfect world, Windows authentication would always work, i.e., the user accesses https://shibboleth/Login?target=somewhere, is redirected to https://adfs/adfs/ls/SomeSamlRequest, the browser authenticates the user in the background using some Active Directory magic and finally, the user is redirected to the desired page without having encountered some login form or dialog.

However, in case this doesn't work, the user is shown an HTTP authentication dialog. Is there a way to configure how many login attempts the user gets and where to redirect them when authentication fails?

Answer 1

It depends. Do you control the AD & Shib IDP & Shib SP? Then you can do it in a lot of ways. You could just rely on AD functionality to lock users with too many failed logins. That's what we did.

If you control the IDP you can contact these guys: https://wiki.shibboleth.net/confluence/display/SHIB2/IdPAuthUserPass As they done it before (See section: Stacking Login Modules)

If you want an easy and cheap solution (but obviously not a good one) you can delay the login attempts on the front end to mitigate brute force login attacks, or even block a certain username after to many login attempts.

Answer 2

Is there a way to configure how many login attempts the user gets?

AFAIK, Internet Explorer tries to authenticate the user 3 times using Windows Integrated Authentication (WIA) before showing the prompt. When the user sees the prompt, I think he can try as many times as he wants, but usually his account ends up being locked in Active Directory after some time.

and where to redirect them when authentication fails?

No there is no option in ADFS to redirect the user to another page when Windows Integrated Authentication fails.

If you have a box (for instance a reverse proxy) between your user and your ADFS server, you could develop something to add this behaviour, but it is quite complex IMHO.