Configure MFA for ADFS

Applies To: AuthPoint Multi-Factor Authentication, AuthPoint Total Identity Security

Active Directory Federation Services (ADFS) is a single sign-on solution for Active Directory that enables users to log in to external systems and applications with their Active Directory credentials. It provides users with a single sign-on experience when they log in to their organization’s web based applications.

With the AuthPoint ADFS agent, you can add multi-factor authentication (MFA) to ADFS for additional security. To do this, you must add an ADFS resource in the AuthPoint management UI and install the ADFS agent on your ADFS server.

To use MFA with ADFS, you must have a primary AuthPoint Gateway installed on your ADFS server. If you have not already installed the AuthPoint Gateway, see About Gateways.

For Active Directory users to use AuthPoint MFA with ADFS, you must keep the default sAMAccountName value for the attribute related to user login when you configure your external identity.

Configure an ADFS Resource

In the AuthPoint management UI:

  1. From the AuthPoint navigation menu, select Resources.

Screen shot of the Resources page.

  1. Click Add Resource.
    The Add Resource page opens.

Screen shot of the Add Resource page.

  1. From the Type drop-down list, select ADFS.
  2. In the Name text box, type a descriptive name for the resource.

Screen shot of the ADFS fields on the Add Resource page.

  1. Click Save.
  2. Add the ADFS resource to your existing authentication policies, or add new authentications policies for the ADFS resource. Authentication policies specify which resources users can authenticate to and which authentication methods they can use. For more information, see About AuthPoint Authentication Policies.

Add the ADFS Resource to Your Gateway Configuration

To use MFA with ADFS, you must have the AuthPoint Gateway installed and you must associate your ADFS resource with the AuthPoint Gateway. The AuthPoint Gateway is the point of communication between AuthPoint and your ADFS server.

If you have not already installed the AuthPoint Gateway, see About Gateways.

To add your ADFS resource to the configuration for your AuthPoint Gateway:

  1. From the AuthPoint navigation menu, select Gateway.
  2. Click the Name of your Gateway.

Screen shot of the Gateways page.

  1. In the ADFS section, from the Select an ADFS resource list, select your ADFS resource.

Screen shot of the ADFS section of the Edit Gateway page.

  1. Click Save.

You have successfully associated your ADFS resource with your Gateway. The next step is to download and install the ADFS agent.

Download and Install the ADFS Agent

You must download the configuration file for the Gateway that your ADFS resource is associated with, then you must download and install the ADFS agent.

Your Gateway must be installed and available when you install the ADFS agent.

To download and install the ADFS agent:

  1. From the AuthPoint navigation menu, select Downloads.
  2. In the ADFS section, click Download Installer. You must have an ADFS resource and your installed Gateway must be version 4.0.0 or higher to download the configuration file.
  3. Click Download Config to download the configuration file. If you have multiple Gateways, you are prompted to select which Gateway your ADFS resource is associated with.
  4. Move the ADFS agent and the configuration file to the ADFS server.
  5. Run the ADFS agent.

You can only install the ADFS agent on the server with your primary Gateway. To install the ADFS agent on a secondary Gateway server, you must make your secondary Gateway the primary Gateway temporarily while you install the ADFS agent.

  1. Add your ADFS resource to the configuration for your secondary AuthPoint Gateway. For more information on how to add an ADFS resource to a Gateway, go to the Add the ADFS Resource to Your Gateway Configuration section of this help topic.
  2. Change your secondary Gateway to the primary Gateway so that you can install the ADFS agent. For more information on how to change the primary Gateway, go to Change the Primary Gateway.
  3. Download and install the ADFS agent on your secondary Gateway server (now the primary Gateway).
  4. In the AuthPoint management UI, make your original Gateway the primary Gateway again. This is the Gateway that is used to synchronize users from your Active Directory or LDAP database.

Configure Your Server

After you install the ADFS agent, you must enable MFA in ADFS for specific groups. MFA only works for the users that are a member of the ADFS groups that you select and a member of the AuthPoint groups with an authentication policy for your ADFS resource.

The steps to enable MFA for ADFS groups are different based on whether you have a Windows 2012r2 server or a Windows 2016 server.

  1. Open the Administrative Tools.
  2. Select AD FS Management.

Screen shot of AD FS Management in the Windows Administrative Tools window.

  1. Select Authentication Policies.
  2. In the Multi-factor Authentication Methods section, click Edit to configure MFA globally. To configure MFA per relying party, click Manage.

Screen shot that shows the Multi-factor Authentication section of the Authentication Policies page.

  1. In the Edit Global Authentication Policy window, click Add.

Screen shot of the Edit Global Authentication Policy window.

  1. In the Select Users or Groups window, type the name of the LDAP group(s) to enable MFA for.
  2. Click OK.

Screen shot of the Select Users or Groups window.

Screen shot of a group added in the Edit Global Authentication Policy window.

  1. In the Edit Global Authentication Policy window, in the additional authentication methods section, select WatchGuard Multi Factor Authentication.
  2. Click Apply.

Screenshot of the WatchGuard Multi-Factor Authentication option seleted in the Edit Global Authentication Policy window.

After the configuration the AD FS Management will show the users/groups and the authentication method selected.

Screen shot that shows the users and groups selected in AD FS Management.

  1. Open Administrative Tools;
  2. Select AD FS Management.

Screen shot of AD FS Management in the Windows Administrative Tools window.

  1. Select Service > Authentication Methods.
  2. In the Multi-factor Authentication Methods section, click Edit.

Screen shot that shows the Multi-factor Authentication section of the Authentication Policies page.

  1. In the Edit Authentication Methods window, select WatchGuard Multi Factor Authentication. Click Apply.

Screenshot of the WatchGuard Multi-Factor Authentication option seleted in the Edit Global Authentication Policy window.

MFA is now required for users to access ADFS resources. To configure MFA only for specific users, you must create an access control policy for an AD group with those users.

  1. (Optional) Create an AD group for the users who must use MFA. If you already have a group, you do not have to create another one.
  2. Select Access Control Policies.
  3. Click Add Access Control Policy.
    The Add Access Control Policy windows opens.
  4. In the Name text box, type Permit everyone but require MFA for specific groups.
  5. Type a Description.
  6. Click Add.
    The Rule Editor window opens.
  7. In the Rule Editor, configure these settings:
    1. For Permit, select everyone.
    2. For Except, select from specific groups.
    3. At the bottom of the window, click specific and select the Active Directory group(s) that you want to require MFA for.
  8. Click OK to save the rule.
  9. Click Add to add another rule.

    The Rule Editor window opens.
  10. In the Rule Editor, configure these settings:
    1. For Permit, select users.
    2. Below users, select the from specific groups and the and require multi-factor authentication check boxes
    3. For Except, select from specific groups.
    4. At the bottom of the window, click specific and select the Active Directory group(s) that you want to require MFA for.
  11. Click OK to save the rule.
  12. Select Relying Party Trusts.
  13. Right-click on a trust and select Edit Access Control Policy.
  14. Select the policy you just created.
  15. Click OK. Restart the ADFS service.

Authentication with ADFS

When MFA is configured for ADFS, users must authenticate when they access your organization's web applications. When a user navigates to a web application, they are redirected to the ADFS SSO page where they must provide their AD credentials and authenticate with MFA.

When a user authenticates through ADFS, the user receives a prompt to share their location. This prompt appears even if your AuthPoint account does not use geofence and geokinetics policy objects.

To authenticate through ADFS:

  1. Navigate to an external web application.
    You are redirected to the ADFS SSO page.
  2. In the User name text box, type your user name or email. User names must be formatted as user@domain or domain\user.
  3. In the Password text box, type your password.
  4. Click Log in.
  5. From the Sign-in Options section, select an authentication option and authenticate.
    • Push — Approve the push notification that is sent to your phone
    • QR Code — Use the AuthPoint mobile app to scan the QR code, then type the verification code shown in the app
    • One-Time Password — Type the one-time password for your token

Related Topics

Set a Custom Login Page for ADFS

Update the AuthPoint ADFS Agent

Uninstall the ADFS Agent

About Gateways

About AuthPoint Authentication Policies