Here is how you can enable Client Certificate Authentication for Passive Authentication.
In my case, I have a Microsoft AD Certification Service deployed. User have a Personal Certificate (User Authentication) with a private in the user certificate personal store.
On the ADFS Server, open the web.config file in inetpub\adfs\ls and looks for the microsoft.identityserver.web section. Put the LocalAuthenticationTypes in the following order :
The <add name=”TlsClient” page=”auth/ssl/client/”/> must be the first authentication type.
In IIS, you can disable all the other authentication method, except Anonymous. So, non authenticated user that have a valid client certificate can access the passive federation service. This is for example very useful to authenticate users on a mobile device without to request the user credentials.
If you have a look at the claims value in the SAML token, you can check that the authentication method is tlsclient :