Solutions
HomeIntegrityControlSolutionsManagement Center
  • Integrations
  • 📈Monitoring
    • Setup Prometheus and Grafana
  • 🗝️PKI
    • Extract certificate chain from keystore
  • 🔄Automation
    • Install with Ansible
  • 🧔Customer IAM
    • Social Provider Sign-in
      • Google sign-in
      • Microsoft Windows Live sign-in
      • Facebook sign-in
      • LinkedIn sign-in
  • 🖥️VDI
    • VMware Horizon login with SAML or OIDC using Integrity WEB as third-party IdP
    • Citrix ADC (Netscaler) login with SAML using Integrity WEB as third-party IdP
    • Login to the VMware vCenter Server using Integrity WEB
  • ☁️Cloud Applications
    • ServiceNow
    • Azure B2C
  • 🤝Verifiable Credentials
    • Add Integrity Web as an OIDC attribute provider for Microsoft Entra (Azure) Verifiable Credentials
  • ⏪Proxy / Load Balancer
    • Apache
  • 💾Active Directory Federation Services (ADFS)
    • Access policies
      • How to mark Primary Authentication Fortified ID ADFS adapters as MFA
    • Graphical user interface
      • How to change adapter display (friendly) name
      • How to change adapter style (colors, logos and texts)
    • ADFS not able to consume Integrity SAML Metadata - troubleshooting guide
Powered by GitBook
On this page
  • Background
  • Create access policy
  1. Active Directory Federation Services (ADFS)
  2. Access policies

How to mark Primary Authentication Fortified ID ADFS adapters as MFA

This document describes how to configure ADFS to fulfill MFA requirements, using a Fortified ID ADFS Adapter for primary authentication.

PreviousAccess policiesNextGraphical user interface

Last updated 5 months ago

Background

Issue

With ADFS, an authentication is marked as multi-factor-authentication (MFA) when a user performed two different authentication steps, primary authentication AND additional authentication. This is typically useful when the primary authentication is username and password whereas the additional authentication is a one-time-password (OTP).

In some scenarios though, one authentication step (the primary authentication) is enough to fulfill common MFA definititions (such as username combined with mobile app). However, this does not fulfill ADFS MFA requirements. This document describes how the ADFS MDA requirement can be fulfilled using Fortified ID ADFS adapter for Primary Authentication, without the need to add an additional authentication in the flow.

To enlighten this even more, the scenario below explains the user experience, prior to solving the configuration issue, when using Fortified ID SITHS QR adapter as the primary authentication, authenticating to a service (RP) that requires MFA.

Scenario

  • Fortified ID ADFS adapter installed.

  • Fortified ID ADFS adapter selected for primary authentication.

  • Access control policy for Relying party set to "require MFA"

  • With the above configuration, the following will occur when a user is authenticating using Fortified ID SITHS - QR:

  1. Browse to service (RP)

  2. Redirect to ADFS

  3. Select Fortified ID SITHS QR

  4. Enter username (UPN)

  5. Scan QR code with app

  6. Finish authentication with app

  7. As the RP requires MFA, the user will be asked to fulfill the requirement with an additional authentication: Certificate authentication or Azure MFA.

This document describes how to configure ADFS to associate Fortified ID SITHS QR, used as primary authentication, as an MFA method.

Solution

To avoid scenarios where users have to perform SITHS QR authentication AND another additional authentication method such as OTP, this document describes how to allow a primary authentication (SITHS QR) as MFA.

Create access policy

  • Open AD FS management

  • Access control policy

  • Click Add Access Control Policy

  • Name the policy Permit everyone and require MFA or SITHS

  • Add description Permit everyone and require MFA or SITHS

  • Click Add to define new rule

  • Select Permit users and require multi-factor authentication Except with specific in request

  • Click specific

  • Click OK

  • Click Add again (new rule)

  • Select Permit users with specific in the request

    • Click specific

  • Click OK

  • Click Apply

  • Click Relying Party Trusts

  • Select the RP

  • Click Edit Access Control Policy

  • Select the newly created policy

  • Click Apply

Test

Browse to service (RP)

Redirect to ADFS

Authenticate using SITHS QR

Redirect back to service, logged in.

Other Fortified ID ADFS adapters

This can also be achieved for the Fortified ID OTP - Token adapter, in scenarios where passwordless authentication is required (in this scenario username + OTP)

Select Claims Claim type = Authentication method Operator = equals Claim value =

Select Claims Claim type = Authentication method Operator = equals Claim value =

Follow the above guide. Change the authentication method claim value to

💾
http://schemas.microsoft.com/ws/2012/12/authmethod/tlsclient
http://schemas.microsoft.com/ws/2012/12/authmethod/tlsclient
http://schemas.microsoft.com/ws/2012/12/authmethod/otp