Install and configure Fortified ID ADFS adapter for Siths eID
Last updated
Last updated
In this scenario, Microsoft Active Directory Federation Services, ADFS, uses the Fortified ID Siths eID adapters to fulfill MFA requirements, using smart card (SITHS-kort) or mobile app (Mobilt SITHS).
The ADFS adapter will communicate with Fortified ID Integrity API service, which will relay the communication against the Inera authentication service.
The ADFS adapter will perform a lookup against Active Directory to find the user social security number (personnummer).
The identifier of the result of the Siths eID authentication will be compared to the social security number fetched from AD, to verify that the Siths eID authentication was performed by the correct person.
There are some prerequisite for this use case. You will need the following:
ADFS administration rights.
Social security number (personnummer) stored on the Active Directory user object. The attribute name holding the value is also required.
Outgoing TCP/8443 communication. To be able to communicate with Integrity API service
(These steps have to be carried out on all servers in the ADFS farm.)
Unzip to C:\
The folder created should be named FortifiedID_ADFS_Adapters. If not, rename the folder.
Open C:/FortifiedID_ADFS_Adapters/on_same_device/config/registration_osd.properties
Change the first part of the siths.*.url values:
https://<integrity_api_dns_name>:8443
Example:
siths.init.url=https://int-api.company.local:8443/api/siths_eid_start siths.status.url=https://int-api.company.local:8443/api/siths_eid_collect
Set the api.key value to the Integrity API api key secret.
Set the mapping_attribute value to the user object attribute in AD, containing the user social security number.
Save the file
Open C:/FortifiedID_ADFS_Adapters/qr_code/config/registration_qr.properties and perform step 5-8 again.
Open C:/FortifiedID_ADFS_Adapters/on_same_device/config/init_siths.json
Change the values of organizationName and authMessage to suite yor environment. These values will be shown to the end user in the Siths eID program.
Open C:/FortifiedID_ADFS_Adapters/qr_code/config/init_siths.json
Change the values of organizationName and authMessage to suite yor environment. These values will be shown to the end user in the Siths eID program.
Open a Windows Powershell prompt as an administrator
Install the adapters:
C:/FortifiedID_ADFS_Adapters/on_same_device/register.ps1
C:/FortifiedID_ADFS_Adapters/qr_code/register.ps1
Open AD FS management
Change the authentication methods settings (primary, secondary) as desired.
Apply an access policy to a service (require MFA)
Test to logon to the service
Verify that the installed ADFS adapters are displayed
To debug, use the Event Viewer on the ADFS server and the server.log file on the Fortified ID Integrity API server(s).
To update ADFS adapter configuration settings (ie settings in the config folder), the ADFS adapter must be re-registrered.
Open AD FS management and deselect the ADFS adapters in the Authentication Methods section
Run deregister.ps
Change the configuration settings in the config folder
Run register.ps
Try again
Please note that if you deregister one of the adapters, the other adapter will become unusable. Therefore, if you need to remove one adapter but still want to use the other, you must reregister the remaining adapter after deregistering the first one.
The ADFS servers need to trust the Fortified ID Integrity API server certificates, otherwise the https communication will fail.
Extract the certificate as a file from https://<integrity_api_dns_name>:8443. Add the file to the ADFS server (through cert.mmc. Local Machine->Personal->Trusted Root Certification Authorities->Certificates)
Please also note that the SSL server certificate common name (or SAN) must match the DNS host entered in the siths.*.url values.
Fortified ID Integrity API . Take a note of the api key secret, as this will be used in later step. The DNS name of the Integrity API host / load balancer must also be known.
Download
For graphical customizations,.
