How to mark Primary Authentication Fortified ID ADFS adapters as MFA
This document describes how to configure ADFS to fulfill MFA requirements, using a Fortified ID ADFS Adapter for primary authentication.
Last updated
This document describes how to configure ADFS to fulfill MFA requirements, using a Fortified ID ADFS Adapter for primary authentication.
Last updated
With ADFS, an authentication is marked as multi-factor-authentication (MFA) when a user performed two different authentication steps, primary authentication AND additional authentication. This is typically useful when the primary authentication is username and password whereas the additional authentication is a one-time-password (OTP).
In some scenarios though, one authentication step (the primary authentication) is enough to fulfill common MFA definititions (such as username combined with mobile app). However, this does not fulfill ADFS MFA requirements. This document describes how the ADFS MDA requirement can be fulfilled using Fortified ID ADFS adapter for Primary Authentication, without the need to add an additional authentication in the flow.
To enlighten this even more, the scenario below explains the user experience, prior to solving the configuration issue, when using Fortified ID SITHS QR adapter as the primary authentication, authenticating to a service (RP) that requires MFA.
Fortified ID ADFS adapter installed.
Fortified ID ADFS adapter selected for primary authentication.
Access control policy for Relying party set to "require MFA"
With the above configuration, the following will occur when a user is authenticating using Fortified ID SITHS - QR:
Browse to service (RP)
Redirect to ADFS
Select Fortified ID SITHS QR
Enter username (UPN)
Scan QR code with app
Finish authentication with app
As the RP requires MFA, the user will be asked to fulfill the requirement with an additional authentication: Certificate authentication or Azure MFA.
This document describes how to configure ADFS to associate Fortified ID SITHS QR, used as primary authentication, as an MFA method.
To avoid scenarios where users have to perform SITHS QR authentication AND another additional authentication method such as OTP, this document describes how to allow a primary authentication (SITHS QR) as MFA.
Open AD FS management
Access control policy
Click Add Access Control Policy
Name the policy Permit everyone and require MFA or SITHS
Add description Permit everyone and require MFA or SITHS
Click Add to define new rule
Select Permit users and require multi-factor authentication Except with specific in request
Click specific
Select Claims Claim type = Authentication method Operator = equals Claim value = http://schemas.microsoft.com/ws/2012/12/authmethod/tlsclient
Click OK
Click Add again (new rule)
Select Permit users with specific in the request
Click specific
Select Claims Claim type = Authentication method Operator = equals Claim value = http://schemas.microsoft.com/ws/2012/12/authmethod/tlsclient
Click OK
Click Apply
Click Relying Party Trusts
Select the RP
Click Edit Access Control Policy
Select the newly created policy
Click Apply
Browse to service (RP)
Redirect to ADFS
Authenticate using SITHS QR
Redirect back to service, logged in.
This can also be achieved for the Fortified ID OTP - Token adapter, in scenarios where passwordless authentication is required (in this scenario username + OTP)
Follow the above guide. Change the authentication method claim value to http://schemas.microsoft.com/ws/2012/12/authmethod/otp
