Install and configure Fortified ID ADFS adapter for Siths eID

Scenario

In this scenario, Microsoft Active Directory Federation Services, ADFS, uses the Fortified ID Siths eID adapters to fulfill MFA requirements, using smart card (SITHS-kort) or mobile app (Mobilt SITHS).

The ADFS adapter will communicate with Fortified ID Integrity API service, which will relay the communication against the Inera authentication service.

The ADFS adapter will perform a lookup against Active Directory to find the user social security number (personnummer).

The identifier of the result of the Siths eID authentication will be compared to the social security number fetched from AD, to verify that the Siths eID authentication was performed by the correct person.

Prerequisite

There are some prerequisite for this use case. You will need the following:

• Fortified ID Integrity API installed and configured. Take a note of the api key secret, as this will be used in later step. The DNS name of the Integrity API host / load balancer must also be known.

• ADFS administration rights.

• Social security number (personnummer) stored on the Active Directory user object. The attribute name holding the value is also required.

• Outgoing TCP/8443 communication. To be able to communicate with Integrity API service

Installation and configuration

(These steps have to be carried out on all servers in the ADFS farm.)

1. Download installer zip.

2. Unzip to C:\

3. The folder created should be named FortifiedID_ADFS_Adapters. If not, rename the folder.

4. Open C:/FortifiedID_ADFS_Adapters/on_same_device/config/registration_osd.properties

5. Change the first part of the siths.*.url values: https://<integrity_api_dns_name>:8443 Example: siths.init.url=https://int-api.company.local:8443/api/siths_eid_start siths.status.url=https://int-api.company.local:8443/api/siths_eid_collect

6. Set the api.key value to the Integrity API api key secret.

7. Set the mapping_attribute value to the user object attribute in AD, containing the user social security number.

8. Save the file

9. Open C:/FortifiedID_ADFS_Adapters/qr_code/config/registration_qr.properties and perform step 5-8 again.

10. Open C:/FortifiedID_ADFS_Adapters/on_same_device/config/init_siths.json

11. Change the values of organizationName and authMessage to suite yor environment. These values will be shown to the end user in the Siths eID program.

12. Open C:/FortifiedID_ADFS_Adapters/qr_code/config/init_siths.json

13. Change the values of organizationName and authMessage to suite yor environment. These values will be shown to the end user in the Siths eID program.

14. Open a Windows Powershell prompt as an administrator

15. Install the adapters: C:/FortifiedID_ADFS_Adapters/on_same_device/register.ps1 C:/FortifiedID_ADFS_Adapters/qr_code/register.ps1

16. Open AD FS management

17. Change the authentication methods settings (primary, secondary) as desired.

Test

1. Apply an access policy to a service (require MFA)

2. Test to logon to the service

3. Verify that the installed ADFS adapters are displayed

4. To debug, use the Event Viewer on the ADFS server and the server.log file on the Fortified ID Integrity API server(s).

Update ADFS adapter configuration

To update ADFS adapter configuration settings (ie settings in the config folder), the ADFS adapter must be re-registrered.

1. Open AD FS management and deselect the ADFS adapters in the Authentication Methods section

2. Run deregister.ps

3. Change the configuration settings in the config folder

4. Run register.ps

5. Try again

NB!

Please note that if you deregister one of the adapters, the other adapter will become unusable. Therefore, if you need to remove one adapter but still want to use the other, you must reregister the remaining adapter after deregistering the first one.

Trust

The ADFS servers need to trust the Fortified ID Integrity API server certificates, otherwise the https communication will fail.

Extract the certificate as a file from https://<integrity_api_dns_name>:8443. Add the file to the ADFS server (through cert.mmc. Local Machine->Personal->Trusted Root Certification Authorities->Certificates)

Please also note that the SSL server certificate common name (or SAN) must match the DNS host entered in the siths.*.url values.

Change texts, GUI

For graphical customizations, follow these guidelines.

Modify access policy to flag MFA for Siths eID primary authentication

Follow these guidelines.