000029412 - AD FS 1.0 Agent: How to setup for authenticating with the user's UPN rather than WindowsAccountName or samAccountName

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000029412
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Agent for AD FS
RSA Version/Condition: 1.0
Platform: Windows
Platform (Other): null
O/S Version: null
Product Name: RSA-0010010
Product Description: RSA Authentication Manager
Problem: A site's SecurID usernames are in UPN format: for example: gjetson@cogswellcogs.com .  To authenticate with a UPN through the AD FS Agent, there are two separate issues to overcome.
  1. A UPN, by definition, includes a domain component.  By default, the ADFS Agent – like the Windows Agent (aka LAC) – does not include the domain component in the username that it sends to Authentication Manager.   Thus, the AD FS Agent will attempt to authenticate gjetson@cogswellcogs.com  by sending a username of “gjetson” to Authentication Manager.  Such an authentication attempt would (obviously) fail.
That can be easily addressed by enabling the AD FS Agent policy (named “Send Domain”).  That policy is set via a GPO template that ships with the ADFS Agent and which is documented in the RSA® Authentication Agent 1.0 for Microsoft® AD FS Group Policy Object Template Guide (“Authentication_Agent100ADFS_gpo_template_guide.pdf”). 
  1. The API that Microsoft defines for AD FS MFA adapters to implement has a limitation: an adapter can define only ONE form of identity claim type (from among a set of defined claim types) that it supports.  The RSA adapter defines the “WindowsAccountName” (SAM format) claim type, following Microsoft’s recommendation.  Microsoft notes that the UPN type (among others) may not always be available to AD FS – and if a type is not available, adapters that support it will not be called.  That means that, while the user may have provided a username of “gjetson@cogswellcogs.coml” to Microsoft to perform domain authentication (which occurs before the AD FS authentication), Microsoft will call the AD FS Agent with a username of “COGSWELLCOGS\gjetsion” and the Agent has no way to reliably work back to the original UPN name.
That can be addressed by defining an alias (the SAM name) for the SecurID user. (See Security Console Help to set up user aliases).
ResolutionNOTE: This solution is for RSA AD FS 1.0 Agent. The AD FS 1.0.1 agent will allow a GPO to be set to direct the agent to send the UPN, where the 1.0 agent can only send SAM format.