ADFS 3.0 inconsistent Duo prompt


#1

We are having issues with DUO and our ADFS 3.0 integration. We are rolling out Duo to a specific security group in AD. However, when they log into some ADFS sites like portal.office.com or some federated ADFS sites we have, we may or may not get the Duo Prompt. We are NOT remembering devices on the integration. The prompt for Duo 2fa is very inconsistent. There doesn’t seem to be a pattern with browser/OS. We will get the ADFS Auth prompt but then no Duo prompt. We are expecting that each time we have to authenticate we should get Duo, but we are not. Has anyone else seen this issue?


#2

I suspect it may be the feature update. Microsoft began rolling out reduced sign-in experience accross Office 365 and Azure tenants. The changes are detailed in the admin message center for O365 or the Microsoft Enterprise Mobility + Security blog.

The saved session tokens avoid login prompts and as a result you are not prompted for the DUO-ADFS login regardless of your remember devices setting.


#3

Let me add a little more detail… We do get the ADFS login prompt as expected - depending on the token life-cycle however, we do not get the Duo prompt after we receive each ADFS prompt. We would expect that if we get an ADFS prompt we would get a Duo prompt because Duo has device memory turned off. In addition, when we receive the ADFS prompt, and then do NOT receive the Duo prompt we also do NOT receive an entry in the Duo logs for device memory. This seems to indicate that ADFS simply isn’t checking Duo at all for some reason. We are going to test with the native ADFS + Microsoft Authenticator to see if we get better results.


#4

We solved our own problem. The agent must be installed on all ADFS servers in the farm handling authentication. If you get a particular server that doesn’t have the Duo agent running it won’t contact Duo and request the Duo second factor.