scs-cbu-ced-iam / adfs-mobileid Goto Github PK

If you set a mobile number like "testthisnumber" it will generate an error but that is not logged in the Event Log. It should show the mss:101

Mandatory to verify that the message has been signed
Optionally: certificate revocation over CRL and/or OCSP

When doing a Cancel on the Mobile ID side, it will be properly provided to the "polling":

but when hitting the "Cancel Login" on this screen it will go and stay on this one instead of going back to the initiating service provider (Office365, Sharepoint...):

Here the Log entries:

1. AuthnContext (AuthenticationStatement) should be urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract and not <saml:AuthenticationStatement+AuthenticationMethod="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"

2. Entire X509 Certificate of the signer

3. (Optional) Serialnumber of the DN
   This should also be possible to be set as NameID

4. SubscriberInfo (if present)

Reference of Claims https://technet.microsoft.com/en-us/library/dn280937.aspx

Only the first module is logging actively mobile id events (clients...) beside the startup events

When defining SsoOnCancel="True" the ADFS Startup raises an error:

There is no more revocation option in the Mobile ID itself (beside if CA will do it).

Therefore we should make it optional and by default "off" or even remove it completely.

C:\Program Files (x86)\MobileIdAdfs\v1.0>import_config.cmd "MobileId.Adfs.AuthnAdapter.xml"

DEBUG: CALL: Get-AdfsAuthenticationProvider -Name MobileID10
DEBUG: CALL: Get-AdfsGlobalAuthenticationPolicy | select -Property
AdditionalAuthenticationProvider
VERBOSE: MobileID10 is not enabled in ADFS
ImportMidAdfsConfig : Mobile ID Authentication Provider v10 is not installed
At C:\Program Files (x86)\MobileIdAdfs\v1.0\import_config.ps1:28 char:9
+   $rc = ImportMidAdfsConfig $cfgFile "10"
+ CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,ImportMidAdfsConfig
Import of config file 'MobileId.Adfs.AuthnAdapter.xml' failed.

It generates an error if you have a phone number with spaces or brackets.
Remove all spaces on the number before doing the call

1. Import of certificates
   Is it necessary to import the Swisscom Root certificate as well as the Mobile ID SSL certificate into the root store as they have the same fingerprint?

2. Event Log typo
   On the event log, we found a spelling error Success without 2 C see below
   og Name: Swisscom-MobileID-Adfs/Admin
   Source: Swisscom-MobileID-Adfs
   Date: 22.01.2016 14:44:22
   Event ID: 21
   Task Category: AuthenticationSucess

3. Documentation for the outgoing communication.
   In addition to https://mobileid.swisscom.com it should be described that the ADFS Plugin needs communication to swissdigicert.ch
   

Still referring to 1.0

Provide an option to define a list of allowed MCC valid for all users / requests.

See optional 'allowed_mcc' in https://github.com/SCS-CBU-CED-IAM/simplesaml-mobileid implementation in SCS-CBU-CED-IAM/simplesaml-mobileid#55