ADFS MFA authentication issues, multiple password requests


I am trying to configure PrivacyID3A with ADFS as a second factor, but I have to use the password twice before the TOTP login works.

The whole story:

It is ADFS 2019 v4. I Installed the Plugin from GitHub - privacyidea/adfs-provider: Authentication provider for Microsoft AD FS to use with privacyIDEA.

and configured “realm”, “url” and the “debug_log” everything else is empty.

PrivacyIdea is activated as an “additional authentication method”.

I tried to authenticate the Relyingparty “o365”
which has an accessControlPolicy “Require MFA for specific users from group” I am in that group

Authentication goes as follows

  1. I am getting the normal Forms authentication, after successful entering the password
  2. I am queried for a “one-time-Password” (Description of the password field) which only accepts the userpassword, I just used in the forms authentication and not the TOTP token as I would have expected
  3. and when that was successful I get another prompt with the message “please enter otp:” and there the TOTP is accepted. and I am logged in.

So far so good authentication is generally working, but I seem to authenticate via Formsbased and after that authenticate with password and mfa via privacyIdea, which seems excessive to me.

I would like to keep using the Formsbased authentication and just query Privacyidea for only the secondFactor.

Maybe someone has already implemented such a configuration and can give me some hints

Thank you very much for your help

i am using the same setup ADFS-wise and do not need to enter my password in the OTP field. How is your privacyIDEA configured? Did you make a policy to have TOTP token in challenge-response mode and set PIN policy to userstore?
The “please enter otp:” is the default challenge message for OTP token, so i guess that might be the problem.

To me this looks like a configuration issue of the server! Read this:7.3. Authentication policies — privacyIDEA 3.6.2 documentation

thank you for the information, I talked with the admin of our privacyidea server.

He switched otppin to “tokenpin” it was working as expected with asking only the totptoken.
But we are indeed using the challenge-response mode, which as he states, is needed for beeing able to use smstokens.

I guess if that is really the case we have to use the privacyIdea ADFS Authentication as Primary Authentication in ADFS which is not my preferred option.

thank you for your help.

Well, your admin does not know tricks!

He could configure the policies this way, that you only need to enter TOTP and other their SMS.
Probably your admin has not read all the 800 pages of documentation.

He should check all the authentication policies!

Hint: 7.3. Authentication policies — privacyIDEA 3.6.2 documentation and search for the concept of trigger-challenge.


thank you very much that hint, helped a lot,

It works now.

Setting in the adfsprivacy Idea adfs module to get it working is
trigger_challenge = 1
service_user =
service_password =
service_realm =
realm =
url = https://diePIurl

with that settings in the privacyidea adfs module it now works as expected with adfs Forms based authentication and token request via PrivacyIDEA .

So thank you very much for your help.
have fun

1 Like