I'm attempting to create a custom AD FS 2.0 Sign In Page that will allow me to authenticate a user with an RSA SecurID token. I have read through the AD FS 2.0 Step-by-Step Guide: Integration with RSA SecurID in the Extranet, but that doesn't really solve the same problem. It details a scenario that secures the adfs/ls virtual directory with RSA, but once the user provides a valid username and passcode they are simply directed to the AD FS sign in page where they would need to enter their AD credentials to be authenticated.
I also looked at the RSA SecurID Web SDK, but it seems to primarily deal with provisioning and retrieval of tokencodes.
Finally, I've look at the RSA Authentication Agent for Web for IIS but it appears to only provide mechanisms to add, modify, or delete data within the authentication browser cookie.
Given the existing AD FS extensibility points, I believe I need to create a custom Forms Sign In Page. Instead of using the existing username/password authentication against active directory, I want to prompt for username and passcode and validate again the RSA Authentication Server. Once validated I then need to have AD FS accept those credentials as a valid active directory user, generate the appropriate SAML ticket and redirect back to the application provider federation service to continue the federated authentication flow.
That's where I'm stuck. I can't seem to find any mechanism to validate an RSA Tokencode in code (C#). If I could do that, I believe my next step would be to implement a custom ASP.Net Forms Authentication module, but I'm not entirely sure that's the right way to go.
