Install and configure Fortified ID ADFS adapter for Oath
Last updated
Last updated
In this scenario, Microsoft Active Directory Federation Services (ADFS) utilizes the Fortified ID Oath adapter to meet MFA requirements through a supporting mobile app.
The ADFS adapter will communicate with the Fortified ID Integrity API service to verify the OATH token.
There are some prerequisite for this use case. You will need the following:
ADFS administration rights.
Allow communication from the ADFS servers to Fortified ID Integrity API using TCP/8447. It's possible change the port to the requirements of your environment.
(These steps have to be carried out on all servers in the ADFS farm.)
Unzip to C:\
The folder created should be named FortifiedID_ADFS_Adapters. If not, rename the folder.
Open C:\FortifiedID_ADFS_Adapters\otp\conf\registration.properties file
Change the settings for api.key and otp.valudation.url.
Set the api.key value to the configured Integrity API api key secret.
Set the otp.valudation.url value to the url in your environment.
Example:
api.key=secret
otp.valudation.url=https://api.fortifiedid.se:8447/api/Validate_OATH_token
Save the file
Open PowerShell with administrative privileges.
Install the adapter:
C:\FortifiedID_ADFS_Adapters\otp\register.ps1
Open AD FS management
Add the Additional Authentication Method to the desired policy.
If you have an ADFS farm, please make sure to do the steps above on the other node as well. Only the dll files will be installed on the other node.
Apply an access policy to a service (require MFA)
Test to logon to the service
Verify that the installed ADFS adapter are displayed
To debug, use the Event Viewer on the ADFS server and the server.log file on the Fortified ID Integrity API server(s).
To update the ADFS adapter configuration settings (ie settings in the config folder), the ADFS adapter must be re-registered.
Open AD FS management and deselect the ADFS adapters in the Authentication Methods section
Open PowerShell with administrative privileges.
Run the unregister.ps1 script located in the C:\FortifiedID\_ADFS\_Adapters\otp directory.
Modify the configuration settings in the C:\FortifiedID\_ADFS\_Adapters\otp\conf\registration.properties file.
Run the register.ps1 script located in the C:\FortifiedID\_ADFS\_Adapters\otp directory.
If you have an ADFS farm, please make sure to do the steps above on the other node as well. Only the dll files will be installed on the other node.
Verify that the changes work using the Test steps
To uninstall the ADFS adapter follow the steps below
Open AD FS management and deselect the ADFS adapters in the Authentication Methods section
Run unregister.ps1 in the C:\FortifiedID_ADFS_Adapters\otp folder
If you have an ADFS farm, please make sure to do the steps above on the other node as well
The ADFS servers must trust the Fortified ID Integrity API server certificates to ensure successful HTTPS communication.
Extract the certificate as a file from https://<integrity_api_dns_name>:8447. Add the file to the ADFS server (through cert.mmc. Local Machine->Personal->Trusted Root Certification Authorities->Certificates)
Ensure the SSL server certificate's common name (CN) or subject alternative name (SAN) matches the DNS host specified in the otp.validation.url setting.
Fortified ID Integrity API Take a note of the API key secret, as this will be used in later step. The DNS name of the Integrity API host / load balancer must also be known.
Download zip.
For graphical customizations,.
