Authentication mechanism assurance
The integrated Kerberos Adapter supports authentication mechanism assurance from Active Directory domain service.
With an Identity Provider (IdP), you can use the Token Authorization framework to verify the ObjectSID and SIDs values before issuing a token. Alternatively, you can map the SIDs value to an attribute in the contract and let the Service Provider (SP) determine if the user meets the requirements to access the protected resource. For the purpose of protecting resources based on sign-on method, authentication mechanism assurance from Active Directory (AD) domain service adds an additional group membership to the user’s security identifiers attribute SIDs when a user signs on using a certificate-based sign-on method, such as a smart-card sign-on For example, you can restrict access to sensitive resources to users who sign on by using their smart cards, which requires a physical reader that you place in a physically secured location.
The integrated Kerberos Adapter supports authentication mechanism assurance by including the ObjectSID and SIDs attributes of the authenticated user in the adapter contract.
If your use case requires authentication mechanism assurance, you can add a criterion in the Token Authorization framework to verify that the SIDs attribute contains the security identifier (SID) value associated with the required login method. If the SIDs attribute does not contain the specified SID value, the request is denied.
|
The |
Alternatively, you can map the ObjectSID and SIDs attributes into the contract and let the SP determine if the user meets the requirements to access the protected resource.
For more information about authentication mechanism assurance, see the Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide from Microsoft’s documentation.