Install and configure Fortified ID ADFS adapter for Oath

Scenario

In this scenario, Microsoft Active Directory Federation Services (ADFS) utilizes the Fortified ID Oath adapter to meet MFA requirements through a supporting mobile app.

The ADFS adapter will communicate with the Fortified ID Integrity API service to verify the OATH token.

Prerequisite

There are some prerequisite for this use case. You will need the following:

Fortified ID Integrity API installed and configured. Take a note of the API key secret, as this will be used in later step. The DNS name of the Integrity API host / load balancer must also be known.
ADFS administration rights.
Allow communication from the ADFS servers to Fortified ID Integrity API using TCP/8447. It's possible change the port to the requirements of your environment.

Installation and configuration

(These steps have to be carried out on all servers in the ADFS farm.)

Download installer zip.
Unzip to C:\
The folder created should be named FortifiedID_ADFS_Adapters. If not, rename the folder.
Open C:\FortifiedID_ADFS_Adapters\otp\conf\registration.properties file
Change the settings for api.key and otp.valudation.url. Set the api.key value to the configured Integrity API api key secret. Set the otp.valudation.url value to the url in your environment. Example: api.key=secret otp.valudation.url=https://api.fortifiedid.se:8447/api/Validate_OATH_token
Save the file
Open PowerShell with administrative privileges.
Install the adapter: C:\FortifiedID_ADFS_Adapters\otp\register.ps1
Open AD FS management
Add the Additional Authentication Method to the desired policy.
If you have an ADFS farm, please make sure to do the steps above on the other node as well. Only the dll files will be installed on the other node.

Test

Apply an access policy to a service (require MFA)
Test to logon to the service
Verify that the installed ADFS adapter are displayed
To debug, use the Event Viewer on the ADFS server and the server.log file on the Fortified ID Integrity API server(s).

Update the ADFS adapter configuration

To update the ADFS adapter configuration settings (ie settings in the config folder), the ADFS adapter must be re-registered.

Open AD FS management and deselect the ADFS adapters in the Authentication Methods section
Open PowerShell with administrative privileges.
Run the unregister.ps1 script located in the C:\FortifiedID\_ADFS\_Adapters\otp directory.
Modify the configuration settings in the C:\FortifiedID\_ADFS\_Adapters\otp\conf\registration.properties file.
Run the register.ps1 script located in the C:\FortifiedID\_ADFS\_Adapters\otp directory.
If you have an ADFS farm, please make sure to do the steps above on the other node as well. Only the dll files will be installed on the other node.
Verify that the changes work using the Test steps

Uninstall the ADFS adapter

To uninstall the ADFS adapter follow the steps below

Open AD FS management and deselect the ADFS adapters in the Authentication Methods section
Run unregister.ps1 in the C:\FortifiedID_ADFS_Adapters\otp folder
If you have an ADFS farm, please make sure to do the steps above on the other node as well

Trust

The ADFS servers must trust the Fortified ID Integrity API server certificates to ensure successful HTTPS communication.

Extract the certificate as a file from https://<integrity_api_dns_name>:8447. Add the file to the ADFS server (through cert.mmc. Local Machine->Personal->Trusted Root Certification Authorities->Certificates)

Ensure the SSL server certificate's common name (CN) or subject alternative name (SAN) matches the DNS host specified in the otp.validation.url setting.

Change texts, GUI

For graphical customizations, follow these guidelines.

PreviousInstall and configure Fortified ID ADFS adapter for Siths eID NextAWS

Last updated 3 months ago

Prerequisite

There are some prerequisite for this use case. You will need the following:

Fortified ID Integrity API installed and configured. Take a note of the API key secret, as this will be used in later step. The DNS name of the Integrity API host / load balancer must also be known.

ADFS administration rights.

Allow communication from the ADFS servers to Fortified ID Integrity API using TCP/8447. It's possible change the port to the requirements of your environment.

Installation and configuration

(These steps have to be carried out on all servers in the ADFS farm.)

Download installer zip.

Unzip to C:\

The folder created should be named FortifiedID_ADFS_Adapters. If not, rename the folder.

Open C:\FortifiedID_ADFS_Adapters\otp\conf\registration.properties file

Change the settings for api.key and otp.valudation.url. Set the api.key value to the configured Integrity API api key secret. Set the otp.valudation.url value to the url in your environment. Example: api.key=secret otp.valudation.url=https://api.fortifiedid.se:8447/api/Validate_OATH_token

Save the file

Open PowerShell with administrative privileges.

Install the adapter: C:\FortifiedID_ADFS_Adapters\otp\register.ps1

Open AD FS management

Add the Additional Authentication Method to the desired policy.

If you have an ADFS farm, please make sure to do the steps above on the other node as well. Only the dll files will be installed on the other node.

Test

Apply an access policy to a service (require MFA)

Test to logon to the service

Verify that the installed ADFS adapter are displayed

To debug, use the Event Viewer on the ADFS server and the server.log file on the Fortified ID Integrity API server(s).

Update the ADFS adapter configuration

To update the ADFS adapter configuration settings (ie settings in the config folder), the ADFS adapter must be re-registered.

Open AD FS management and deselect the ADFS adapters in the Authentication Methods section

Open PowerShell with administrative privileges.

Run the unregister.ps1 script located in the C:\FortifiedID\_ADFS\_Adapters\otp directory.

Modify the configuration settings in the C:\FortifiedID\_ADFS\_Adapters\otp\conf\registration.properties file.

Run the register.ps1 script located in the C:\FortifiedID\_ADFS\_Adapters\otp directory.