- Created by Vladislav Fomichev on Dec 07, 2021
The latter implements a provider of multi-factor authentication for Microsoft ADFS server, thus adding the second factor to the access gaining process.
Files of Indeed AM ADFS Extension reside in: indeed AM\Indeed AM ADFS Extension\<Version number>\
- IndeedAM.ADFS.Extension-x64.msi is the installation package of Indeed ADFS Extension.
Installation and configuration of ADFS Extension
- Install ADFS Extension by running IndeedAM.ADFS.Extension-x64.msi installer.
Create a configuration file named MFAAdapter.json with the following parameters.
id parameter of ModeId have different provider ID
{EBB6F3FA-A400-45F4-853A-D517D89AC2A3} - SMS OTP
{093F612B-727E-44E7-9C95-095F07CBB94B} - EMAIL OTP
{F696F05D-5466-42b4-BF52-21BEE1CB9529} - Passcode
{0FA7FDB4-3652-4B55-B0C0-469A1E9D31F0} - Software OTP
{AD3FBA95-AE99-4773-93A3-6530A29C7556} - HOTP Provider
{CEB3FEAF-86ED-4A5A-BD3F-6A7B6E60CA05} - TOTP Provider
{DEEF0CB8-AD2F-4B89-964A-B6C7ECA80C68} - AirKeyProvider
Example{ "ServerType":"eaNet", "EANetServerURL":"http://YourDomainName/am/core/", "ModeId":"{0FA7FDB4-3652-4B55-B0C0-469A1E9D31F0}", "LSEventCacheDirectory": "C:\\EventCacheEa\\" }
Run PowerShell as administrator. Enter the following data to register an adapter:
YourPatch\MFAAdapter.json - specify full path to the previously created configuration file.
Specify the version number of Indeed ADFS Extension used in $typeName variable, Version parameter.
Example$typeName = "IndeedId.ADFS.MFAAdapter.MFAAdapter, IndeedId.ADFS.MFAAdapter, Version=1.0.6.0, Culture=neutral, PublicKeyToken=1ebb0d9282100d91" Register-AdfsAuthenticationProvider -TypeName $typeName -Name "Indeed Id MFA Adapter" -ConfigurationFilePath 'YourPatch\MFAAdapter.json'
To remove an adapter, execute the following command:
ExampleUnregister-AdfsAuthenticationProvider -Name "Indeed Id MFA Adapter"
To update configuration, execute the following command:
ExampleImport-AdfsAuthenticationProviderConfigurationData -Name "Indeed Id MFA Adapter" -FilePath 'YourPatch\MFAAdapter.json'
Activation of multi-factor authentication for ADFS.
- Open AD FS management console.
- Select “Authentication Methods”, and then select “Edit Multi-factor Authentication...” in “Actions” window.
- Select the previously created provider at the “Multi-factor” tab and click “Apply”.
- Select "Relying party trust” and click “Add relying party trust...”.
- Select “Supporting claims” at the “Welcome!” tab and click “Run”.
Specify the URL of your server at the “Select Data Source” tab and click “Next”.
The standard ADFS idpinitiatedsignon.htm page is used as extension example. This page uses metadata address.
- Enter the name and description for your relying party trust at the “Displayed name” tab and click “Next”.
- Select corresponding policy with MFA request in the list of default ones at the “Choose Access Control Policy”. You can also add an access control policy of your choice.
- Leave all the other parameters with their default values.
- Restart the AD FS service to apply the changes.
Example of extension operation.
The idpinitiatedsignon.htm page is deactivated in AD FS 2016 by default. To activate it, run PowerShell as administrator and execute the following command:
Set-AdfsProperties -EnableIdpInitiatedSignonPage $True
- Open ADFS test page: https://YourDomainName/adfs/ls/idpinitiatedsignon.htm
- Perform logging in.
- Specify the second factor data after entering the username and password.
- If all data is entered correctly, log in is executed.
- No labels