AD FS 2.0, out of the box, supports four local authentication types:
By default AD FS 2.0 Federation Servers use IWA and AD FS 2.0 Federation Server Proxy servers use FBA. The reason for this is because we assume that you would prefer no credential prompt for your internal users who can directly contact your internal Federation Servers, and we also assume that users who are coming from the internet via the Federation Server Proxy servers would not be able to experience integrated Windows authentication, thus a customizable forms-based page is the best fit.
If you prefer to select a non-default local authentication type, perform the following steps:
Note: There is no need to restart IIS or make any further changes. Your change will be immediately picked up by IIS since you edited the web.config.
Example:
If I want to change the local authentication type for my internal Federation Servers from IWA to FBA, the resultant web.config section would look like this:
<microsoft.identityServer.web> <localAuthenticationTypes> <add name="Forms" page="FormsSignIn.aspx" /> <add name="Integrated" page="auth/integrated/" /> <add name="TlsClient" page="auth/sslclient/" /> <add name="Basic" page="auth/basic/" /> </localAuthenticationTypes> Also see Windows Identity Foundation (WIF): How to Utilize the WS-Federation WAUTH Parameter to Specify an Authentication Type
Adam Conkle - MSFT edited Original. Comment: Author should be Adam Conkle - MSFT
What if you wanted a mix of IWA and FBA. I have some users that use common workstations. For most users we want IWA but for a few we want FBA. Or a special link that forces FBA when the default is IWA. Somthing similar to ?LoginToRp
Hi realcoder,
WS-Federation provides WAUTH as a query string parameter, and SAML 2.0 provides RequestedAuthNContext for authN method selection at runtime. You could also modify the AD FS 2.0 sign-in pages to implement authN method selection in the UI, multi-factor authN, or similar.
Sorry for the severe lapse in time before responding. :)
Thanks,
Adam
Can I add two <localAuthenticationTypes>
I have two pages for FormsSignIn.aspx and FormsSignInMobile.aspx
one is for normail browser, another is for mobile phone browser.