Is it possible to force a specific MFA provider based on a user-agent (ideal) or IP address (less ideal) in AD FS? Alternatively, is there another free SAML IdP that would allow this? Read below for why, in case there is another option that I am missing:

I’m using AD FS 3.0 as a SAML 2.0 IdP for a cloud service used internally at a business. I have enabled MFA using integrated Windows authentication and I have also enabled certificates as a second factor.

This works great on the domain-joined desktops we deploy. Once the user is logged into Windows, they are automatically logged into the cloud service assuming they have a valid certificate. They don’t have to do anything to authenticate and this is awesome.

This cloud service provides a mobile app for iOS and Android devices. The mobile app uses an embedded browser for authentication. During authentication, upon redirection to the IdP, AD FS falls back to forms-based authentication which is fine. However, when AD FS requests a client certificate, the embedded browser in these apps freezes. Thus, it is not possible to log into the apps using certificate-based authentication.

I’ve informed the vendor, they are able to replicate the issue and are investigating whether they can fix it, but my hopes are not high that they will be able to (at least in a timely manner).

In the mean time, I would like to provide two options: use certificates as the second factor on desktop browsers, and use a custom authentication provider (I can build this no problem) for mobile browsers.

Is this possible? The closest I can get right now is to present the user with an option of which MFA mechanism they would like to use. This isn’t good enough, unfortunately, especially since users will need to do this several times per day.