cancel
Showing results for 
Search instead for 
Did you mean: 

Access Policy for Remote Desktop with Azure MFA

veato
Nimbostratus
Nimbostratus

I have an access policy for my remote desktop service which is relatively straighforward - logon page (user, password and 2FA token) > AD Auth > Vasco Auth > Resource Assign (Remote Desktop and Webtop). Everything works fine including SSO for the remote desktops.

 

We're getting rid of Vasco now though and using Azure MFA. I've configured SAML and have tested that works in the access policy. For the test, the policy is now simply, SAML Auth > Resource Assign (Remote Desktop and Webtop). But of course you no longer get SSO for the remote desktop as it is expecting the AD sAMAccountName, password and domain.

 

Is there a way to obtain these details from the SAML claim so I don't need to include a second logon page? It would be nice, if at all possible, if the user just logs on once with their Azure creds. If it is possible how would I build that into the access policy?

1 REPLY 1

boneyard
MVP
MVP

no that is not possible as the SAML assertion wont contain the password. it can contain many things (i.e. sAMAccountName if known at the IdP (for Azure AD yes), the domain) but not the password.

 

a common case to solve SSO after SAML is to use Kerberos delegation, but that doesn't seem possible for RDP.

 

https://devcentral.f5.com/s/question/0D51T00006j4Kf0/kerberos-support-for-big-ip-rdp-gateway-for-rds-host

 

https://devcentral.f5.com/s/question/0D51T00007MzgEx/kerberos-auth-for-microsoft-remote-desktop-services-