Azure smartcard auth

0
votes

I am trying to understand how smartcard auth happens over Azure. I Understand that we require on-Prem ADFS however I am trying figure out two things:

1) What exact exchange takes places between Azure and client? Something like below:

GET https://login.microsoftonline.com/{tenant}/oauth2/authorize? client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&response_type=id_token+code&redirect_uri=http%3A%2F%2Flocalhost%3a12345 &response_mode=form_post&scope=openid&resource=https%3A%2F%2Fservice.contoso.com%2F&state=12345&nonce=678910

2) How is Smartcard Authenticated? Is it a challenge response or the certificate is verified? In case of challenge response the client generates a signed data that is verified by ADFS?

1
azureazure-active-directorysmartcard

1 Answers

0
votes

1)What exact exchange takes places between Azure and client?

The sample request you mentioned is a sign-in request to get access tokens, for the exact exchange between Azure and client, just refer to this link.

enter image description here

2) How is Smartcard Authenticated? Is it a challenge response or the certificate is verified? In case of challenge response the client generates a signed data that is verified by ADFS?

I think it may be a challenge response, and the client will generate a signed data that is verified by ADFS.

You could refer to this article, as mentioned in the How federated access works with Windows Azure (Step 4) :

The KDC issues the client a Service Ticket, containing the multifactor claims (this assumes that IT policy forced smartcard authentication at desktop login time, otherwise, AD FS can challenge to present a smartcard during this Windows Azure Management Portal login sequence).

The client PC presents the Service Ticket to AD FS. AD FS validates the Kerberos ticket and generates a signed SAML token for Windows Azure AD in the next step. AD FS will only send the signed SAML token if the credentials are valid.