Change MFA settings endpoint

[derSchweiger]

Hi,

first of all: great work and thank you very much for maintaining this project! Currently, I am testing this solution and it fits perfectly into our On-Premises first mindset.

I've a question regarding the user controls for changing the MFA settings. If you want to change the second factor, you've to login to an application which redirects the user to the ADFS farm. From there, it's possible to login and choose "After login change settings" to adapt your MFA settings. Is there another way to achieve this? Something like a user profile endpoint? I'm thinking of some workflow like browsing to "adfs/ls/idpinitiatedsignon", logging in and changing the user settings from there without the need to browse to an application first.

[redhook62]

Hi, @derSchweiger

Thanks,

You must know, we have done everything to ensure security, and it is our workhorse.

Going through the mfa to change its own parameters seems very logical to us.

Currently, the user concerned can ask the administrators to make this change for them either with the MMC console or in powershell.

This is also accessible in remote-powershell, but of course you must be an administrator or be part of the delegated administration group.

For an endpoint accessible directly from the internet without going through MFA, is not acceptable for us, and it is certainly not easier for a basic user who is not a developer.

On the other hand, if you develop, you can consider creating a site or a web API using the Powershell of adfmfa, it is not very complex to achieve, but be careful not to open doors...

I hope I have answered your question, as they say for old timers like me: IT is very simple, there are two things to remember, "you can" or "you must".

I prefer to assume a bug in security, than to open a door by indicating like Microsoft and others:
"You accepted the trick", so we are not responsible, it is your problem...

I think the easiest thing for you is that the user concerned, tired of going through the MFA to change his options, asks the administrators to do it for him.

regards

redhook

[derSchweiger]

Hi @redhook62,

thank you very much for your quick response.
Perhaps I have expressed myself incorrectly. I don't want to allow users to change their MFA settings without verifying first with their current MFA. I agree, that this could be a potential security risk. By enabling MFA we want to make sure, that users are only allowed to login by using the first and second factor.

What I wanted to ask is, whether or not there is an endpoint in ADFS for users to change their already configured MFA settings. Let's imagine the following scenario:
I am a user and I want to change my current MFA settings. Which options do I have? As far as I know the only option is, to open an application which is protected by ADFS (SAML, openID Connect, ...), try to login, get redirected to ADFS and then change my MFA settings from there.
I think it would be much more convenient, if we could populate a static URL (e.g. https://adfs.contoso.com/adfs/portal/profile) where the users are able to login with their credentials + second factor and than have something like an ADFS MFA profile interface. It could be designed similar to the already integrated "update password interface": https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/update-password-customization

[redhook62]

Hi @derSchweiger

Yes, it's clearer.
In short, you want a directly accessible options management page, a bit like for azure AD.

Currently, this seems impossible, because apart from static resources, it is impossible to add "active" endpoints to ADFS.
The pluggin is only loaded by ADFS at the time of authentication.

Anyway, it's a feature that could be considered,
In any case not before version 4.0 of this fall

regards

[derSchweiger]

Thank you for your feedback!