ADFS authentication customization

Active Directory Federation Services (ADFS) offers the possibility of a lot of customization. Because it’s C# based and running on IIS, you can do basically everything. However, most people want to add a two factor authentication or customizing the looks and feel. In this article we will first implement an additional shared password for all users, and then show how you can extend this functionallity to implement two factor authentication mechanism.

When doing these customizations, you will need to use forms authentication. This means I assume that you know how to configure this (your ADFS proxy server(s) are already configured like this). The files we will be modifying is FormsSignIn.aspx and FormsSignIn.aspx.cs.

The first thing you would want, is to add the following to your FormsSignIn.aspx file. This just adds the PIN text box, nothing else.

<tr>
	<td>
		<span class="Label">PIN</span>
	</td>
	<td>
		
	</td>
	<td>&nbsp;</td>
</tr>

After modifying the file, your login page should look something like the following.

When you hit enter og the Sign In-button, the method SubmitButton_Click defined in FormsSignIn.aspx.cs is called. By default, this just involves calling SignIn( UsernameTextBox.Text, PasswordTextBox.Text ) and catching an exception if the authentication fails, but we want more. Continue on editing FormsSignIn.aspx.cs, replacing SubmitButton_Click with the following modified version.

protected bool VerifyPIN(string username, string PIN)
{
	return PIN.Equals("12345")
}

protected void SubmitButton_Click( object sender, EventArgs e )
{
	try
	{
		if(!VerifyPIN(UsernameTextBox.Text, PINTextBox) {
			ErrorTextLabel.Visible = true;
			ErrorTextLabel.Text = "Wrong PIN"
			return;
		}

		// PIN was ok, let's continue with SignIn
		SignIn( UsernameTextBox.Text, PasswordTextBox.Text );
	}
	catch ( AuthenticationFailedException ex )
	{
		HandleError( ex.Message );
	}
}

After changing this, the PIN for all users must be 12345, or they will not be able to log on. Now this does not seem to handy, i understand, but at this point you can instead of checking whether the PIN is 12345, check against a database, a web service, a radius service or other One-Time Password services. Just put whatever you need in the VerifyPIN function. I’ll make an article on it some day.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s