Page History

The latter implements a provider of multi-factor authentication for Microsoft ADFS server, thus adding the second factor to the access gaining process.

Installation and configuration of ADFS Extension

1. Install ADFS Extension by running IndeedAM.ADFS.Extension-x64.msi installer. 

2. Create a configuration file named MFAAdapter.json with the following parameters.

   Info

   id parameter of ModeId have different provider ID {EBB6F3FA-A400-45F4-853A-D517D89AC2A3} - SMS OTP {093F612B-727E-44E7-9C95-095F07CBB94B} - EMAIL OTP {F696F05D-5466-42b4-BF52-21BEE1CB9529} - Passcode {0FA7FDB4-3652-4B55-B0C0-469A1E9D31F0} - Software OTP {AD3FBA95-AE99-4773-93A3-6530A29C7556} - HOTP Provider {CEB3FEAF-86ED-4A5A-BD3F-6A7B6E60CA05} - TOTP Provider {DEEF0CB8-AD2F-4B89-964A-B6C7ECA80C68} - AirKeyProvider

   
   

   Code Block
   language js title Example
   { "ServerType":"eaNet", "EANetServerURL":"http://YourDomainName/easerver/", "ModeId":"{0FA7FDB4-3652-4B55-B0C0-469A1E9D31F0}", "LSEventCacheDirectory": "C:\\EventCacheEa\\" }

   
   

3. Run PowerShell as administrator. Enter the following data to register an adapter:

   Info
   YourPatch\MFAAdapter.json - specify full path to the previously created configuration file.

   
   

   Note
   Specify the version number of Indeed ADFS Extension used in  $typeName variable, Version parameter.

   
   

   Code Block
   language powershell title Example
   $typeName = "IndeedId.ADFS.MFAAdapter.MFAAdapter, IndeedId.ADFS.MFAAdapter, Version=1.0.6.0, Culture=neutral, PublicKeyToken=1ebb0d9282100d91" Register-AdfsAuthenticationProvider -TypeName $typeName -Name "Indeed Id MFA Adapter" -ConfigurationFilePath 'YourPatch\MFAAdapter.json'

   
   

4. To remove an adapter, execute the following command:

   Code Block
   language powershell title Example
   Unregister-AdfsAuthenticationProvider -Name "Indeed Id MFA Adapter"

   
   

5. To update configuration, execute the following command:

   Code Block
   language powershell title Example
   Import-AdfsAuthenticationProviderConfigurationData -Name "Indeed Id MFA Adapter" -FilePath 'YourPatch\MFAAdapter.json'

   
   

Activation of multi-factor authentication for ADFS.

1. Open AD FS management console.
2. Select “Authentication Methods”, and then select “Edit Multi-factor Authentication...” in “Actions” window.Image Added
3. Select the previously created provider at the “Multi-factor” tab and click “Apply”.Image Added
4. Select  "Relying party trust” and click “Add relying party trust...”.Image Added
5. Select “Supporting claims” at the “Welcome!” tab and click “Run”. 

6. Specify the URL of your server at the “Select Data Source” tab and click “Next”.

   Info
   The standard ADFS idpinitiatedsignon.htm page is used as extension example. This page uses metadata address.

   Image Added

7. Enter the name and description for your relying party trust at the “Displayed name” tab and click “Next”.
8. Select corresponding policy with MFA request in the list of default ones at the “Choose Access Control Policy”. You can also add an access control policy of your choice.Image Added
9. Leave all the other parameters with their default values.
10. Restart the AD FS service to apply the changes.

Example of extension operation.

Set-AdfsProperties -EnableIdpInitiatedSignonPage $True

1. Open ADFS test page: https://YourDomainName/adfs/ls/idpinitiatedsignon.htm
2. Perform logging in.
3. Specify the second factor data after entering the username and password.Image Added
4. If all data is entered correctly, log in is executed.