{"id":19946788,"url":"https://github.com/privacyidea/adfs-provider","last_synced_at":"2025-05-03T17:33:33.740Z","repository":{"id":43596676,"uuid":"359453992","full_name":"privacyidea/adfs-provider","owner":"privacyidea","description":"Authentication provider for Microsoft AD FS to use with privacyIDEA.","archived":false,"fork":false,"pushed_at":"2023-03-27T10:56:15.000Z","size":623,"stargazers_count":19,"open_issues_count":7,"forks_count":4,"subscribers_count":8,"default_branch":"main","last_synced_at":"2024-04-24T06:22:52.938Z","etag":null,"topics":["2fa","adfs","authentication","mfa","multi-factor-authentication","security"],"latest_commit_sha":null,"homepage":"","language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"agpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/privacyidea.png","metadata":{"files":{"readme":"README.md","changelog":"Changelog.md","contributing":null,"funding":null,"license":"License","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-04-19T12:37:48.000Z","updated_at":"2024-03-16T20:53:53.000Z","dependencies_parsed_at":"2023-01-31T03:16:04.272Z","dependency_job_id":null,"html_url":"https://github.com/privacyidea/adfs-provider","commit_stats":null,"previous_names":[],"tags_count":6,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/privacyidea%2Fadfs-provider","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/privacyidea%2Fadfs-provider/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/privacyidea%2Fadfs-provider/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/privacyidea%2Fadfs-provider/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/privacyidea","download_url":"https://codeload.github.com/privacyidea/adfs-provider/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":224370127,"owners_count":17299965,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["2fa","adfs","authentication","mfa","multi-factor-authentication","security"],"created_at":"2024-11-13T00:32:42.430Z","updated_at":"2024-11-13T00:32:42.954Z","avatar_url":"https://github.com/privacyidea.png","language":"C#","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Acknowledgement\nThis project builds on Stephan Traub's [original provider v1.3.8.2](https://github.com/sbidy/privacyIDEA-ADFSProvider/tree/f66100713e650d134ac50fcbd3965b71ae588d47). \n\n## Preface\nIf you face issues, please check the sections below on how to generate information that can be used to find the problem.\n\n## Requirements\nTo use the provider, the [.NET Framework 4.8](https://dotnet.microsoft.com/download/dotnet-framework/net48) is required on the target machine.\n\n## Signing\nThe dll that is created by this solution requires to be signed to be deployed. Change the key file to your own in the project settings of the provider.\n\n## Windows Server 2019\nIf you use a Windows Server 2019 please activate TLS 1.x for your .NET because TLS 1.0 is deprecated.\nAdding `\"SchUseStrongCrypto\"=dword:00000001` to `HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft.NETFramework\\v4.0.30319`\nand `HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft.NETFramework\\v4.0.30319` fixes the problem.\n\n## Installation\nRun the MSI.\n\n## Event Log\nErrors will be written to the Windows Event Log in the `AD FS/Admin` category. To get a more detailed log, activate the `debug_log` setting as explained in the next section.\n\n## Configuration\nThe provider is configured using the registry. The keys are located at `HKEY_LOCAL_MACHINE\\SOFTWARE\\NetKnights GmbH\\PrivacyIDEA-ADFS`.\nAfter changing the configuration, the AD FS Service has to be restarted for the changes to become active. This can be done using the PowerShell command `Restart-Service adfssrv`.\n\n| Key Name | Explanation |\n| ----- | ----- |\n| url | The url of the privacyIDEA server. Has to include https://! |\n| disable_ssl | Set to `1` if ssl verification should be disabled. DO NOT DISABLE THIS IN A PRODUCTION ENVIRONMENT! |\n| debug_log | Set to `1` if a detailed debug log should be written. It will be located at `C:\\PrivacyIDEA-ADFS log.txt`. |\n| enable_enrollment | Set to `1` if users should automatically enroll a TOTP code if they do not have any other tokens enrolled. **!!! This feature is deprecated in favor of the new enrollment that can be controlled from the privacyIDEA server starting v3.8.0, and will be removed in a future version of this provider. !!!** |\n| realm | Set the realm that should be appended to every request. If this is empty, the realm parameter will be omitted from requests. |\n| service_user | Set the username of a privacyIDEA service account that can be used to trigger challenges. Configuring this is only required to use the `trigger_challenges` or `enable_enrollment` settings! |\n| service_pass | Set the password of a privacyIDEA service account that can be used to trigger challenges. Configuring this is only required to use the `trigger_challenges` or `enable_enrollment` settings! |\n| service_realm | Set the realm of a privacyIDEA service account that can be used to trigger challenges. This realm setting can be used if the service account is found in a different realm than the other one specified. |\n| trigger_challenges | Set this to `1` to trigger challenges prior to the login using the configured service account. This setting takes precedence over `send_empty_pass`. |\n| send_empty_pass | Set this to `1` to send a request to validate/check with the username and an empty pass prior to the login. This can be used to trigger challenges depending on the configuration in privacyIDEA and **requires no service account**. If `trigger_challenges` is enabled, this setting has no effect. |\n| use_upn | Set this to `1` to use the Windows UPN (person@company.com) as the username for requests to privacyIDEA. |\n| tls_version | If you want to explicite the TLS version, set it to: `tls11`, `tls12` or `tls13`. Other values will be ignored and TLS version will stay as system default. |\n| forward_headers | If you want to forward specific headers to the privacyIDEA server, you can set them here. If the header does not exist or has no value, it will be ignored. The headers names should be separated with ','. |\n| preferred_token_type | Set the token type for which the UI should be first shown. This only matters if such token was triggered before. Possible values are `otp`, `push`, `u2f` and `webauthn`. The default is OTP mode. |\n\n### Domain to Realm Mapping\nIt is possible to map different Windows domains to different privacyIDEA realms. To achieve this, add the subkey `HKLM\\SOFTWARE\\Netknights GmbH\\PrivacyIDEA-ADFS\\realm-mapping`. Now you can add REG_SZ entries that have the name of the Windows domain and the value of the corresponding privacyIDEA realm. Note that the realm mapping takes precedence over the general realm that can be configured as explained in the previous section.\n\n## Debugging\nErrors in the provider can be found by looking at the Windows Event Log or activating the `debug_log` setting.\nIf the installer fails to install/uninstall the Provider, a logfile for that process can be created using the `cmd`:\n\ninstall:      `msiexec /i ADFSProvider.msi /L*V install.log`\n\nuninstall:    `msiexec /x ADFSProvider.msi /L*V uninstall.log`\n\nThe problematic part will probably be found in the last third of the log file.\n\nIf the provider fails to uninstall, you can uninstall it manually by navigating to `C:\\Program Files\\PrivacyIDEA AD FS\\` and run the uninstall script. Doing this will leave the registry untouched and the provider in the installed software list. To remove it from the list, remove it's registry entry at `HKLM\\SOFTWARE\\Classes\\Installer\\Products\\`.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fprivacyidea%2Fadfs-provider","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fprivacyidea%2Fadfs-provider","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fprivacyidea%2Fadfs-provider/lists"}