Active Directory Federation Services (ADFS) is a single sign-on solution for Active Directory that enables users to log in to external systems and applications with their Active Directory credentials. It provides users with a single sign-on experience when they log in to their organization’s web based applications.
With the AuthPoint ADFS agent, you can add multi-factor authentication (MFA) to ADFS for additional security. To do this, you must add an ADFS resource in the AuthPoint management UI and install the ADFS agent on your ADFS server.
To use MFA with ADFS, you must have the AuthPoint Gateway installed. If you have not already installed the AuthPoint Gateway, see About Gateways.
For Active Directory users to use AuthPoint MFA with ADFS, you must keep the default sAMAccountName value for the attribute related to user login when you configure your external identity.
Configure an ADFS Resource
In the AuthPoint management UI:
- From the AuthPoint navigation menu, select Resources.
The Resources page in the AuthPoint management UI opens.
- From the Choose a resource type drop-down list, select ADFS. Click Add.
- In the Name text box, type a descriptive name for the resource.
- Click Save.
- Add the ADFS resource to your existing authentication policies, or add new authentications policies for the ADFS resource. Authentication policies specify which resources users can authenticate to and which authentication methods they can use. For more information, see About AuthPoint Authentication Policies.
Add the ADFS Resource to Your Gateway Configuration
To use MFA with ADFS, you must have the AuthPoint Gateway installed and you must associate your ADFS resource with the AuthPoint Gateway. The AuthPoint Gateway is the point of communication between AuthPoint and your ADFS server.
If you have not already installed the AuthPoint Gateway, see About Gateways.
To add your ADFS resource to the configuration for your AuthPoint Gateway:
- From the AuthPoint navigation menu, select Gateway.
- Click the Name of your Gateway.
- In the ADFS section, from the Select an ADFS resource list, select your ADFS resource.
- Click Save.
You have successfully associated your ADFS resource with your Gateway. The next step is to download and install the ADFS agent.
Download and Install the ADFS Agent
You must download the configuration file for the Gateway that your ADFS resource is associated with, then you must download and install the ADFS agent.
Your Gateway must be installed and available when you install the ADFS agent.
- From the AuthPoint navigation menu, select Downloads.
- In the ADFS section, click Download Installer. You must have an ADFS resource and your installed Gateway must be version 4.0.0 or higher to download the configuration file.
- Click Download Config to download the configuration file. If you have multiple Gateways, you are prompted to select which Gateway your ADFS resource is associated with.
- Move the ADFS agent and the configuration file to the ADFS server.
- Run the ADFS agent.
Configure Your Server
After you install the ADFS agent, you must enable MFA in ADFS for specific groups. MFA only works for the users that are a member of the ADFS groups that you select and a member of the AuthPoint groups with an authentication policy for your ADFS resource.
The steps to enable MFA for ADFS groups are different based on whether you have a Windows 2012r2 server or a Windows 2016 server.
- Open the Administrative Tools.
- Select AD FS Management.
- Select Authentication Policies.
- In the Multi-factor Authentication Methods section, click Edit to configure MFA globally. To configure MFA per relying party, click Manage.
- In the Edit Global Authentication Policy window, click Add.
- In the Select Users or Groups window, type the name of the LDAP group(s) to enable MFA for.
- Click OK.
- In the Edit Global Authentication Policy window, in the additional authentication methods section, select WatchGuard Multi Factor Authentication.
- Click Apply.
After the configuration the AD FS Management will show the users/groups and the authenticartion method selected.
- Open Administrative Tools;
- Select AD FS Management.
- Select Service > Authentication Methods.
- In the Multi-factor Authentication Methods section, click Edit.
- In the Edit Authentication Methods window, select WatchGuard Multi Factor Authentication. Click Apply.
MFA is now required for users to access ADFS resources. To configure MFA only for specific users, you must create an access control policy for an AD group with those users.
- (Optional) Create an AD group for the users who must use MFA. If you already have a group, you do not have to create another one.
- Select Access Control Policies.
- Click Add Access Control Policy.
- In the Name text box, type Permit everyone but require MFA for specific groups.
- Type a Description.
- Click Add.
- In the Rule Editor window, configure these permissions:
- Permit users except from Domain\<your AD group>
- Permit users from Domain\<your AD group> and require multi-factor authentication
- Click OK to save.
- Select Relying Party Trusts.
- Right-click on a trust and select Edit Access Control Policy.
- Select the policy you just created.
- Click OK. Restart the ADFS service.
Authentication with ADFS
When MFA is configured for ADFS, users must authenticate when they access your organization's web applications. When a user navigates to a web application, they are redirected to the ADFS SSO page where they must provide their AD credentials and authenticate with MFA.
To authenticate through ADFS:
- Navigate to an external web application.
You are redirected to the ADFS SSO page.
- In the User name text box, type your user name or email. User names must be formatted as [email protected] or domain\user.
- In the Password text box, type your password.
- Click Log in.
- From the Sign-in Options section, select an authentication option and authenticate.
- Push — Approve the push notification that is sent to your phone
- QR Code — Use the AuthPoint mobile app to scan the QR code, then type the verification code shown in the app
- One-Time Password — Type the one-time password for your token