Skip to main content

Setting up ADFS two-factor authentication

General information

This article describes how to configure Active Directory Federation Services (ADFS) to access enterprise applications.

Possible authentication methods:

  • MultiFactor Mobile Application
  • Telegram
  • SMS
  • Biometrics
  • Hardware OTP tokens
  • OTP applications: Google Authenticator or Yandex.Key

Video presentation

Scheme of work

  1. The user opens a corporate application;
  2. ADFS requests a login, the first factor of authentication: login and password, checks the correctness of the specified data and, if the data is correct, proceeds to the second stage of authentication;
  3. At the second stage, a window for checking the second factor Multifactor opens, in which the user is asked to confirm access;
  4. The user confirms the second access factor and proceeds to work with the application.

To configure the second factor of authentication, you will need to install and configure the MultiFactor.ADFS.Adapter component on the ADFS server. The component is developed and supported by Multifactor and is distributed free of charge along with the source code. The current version is on GitHub: code and assembly.

License

Please note the license. It does not give you the right to make changes to the source code of the Component or create derivative works based on it. The source code is provided for informational purposes.

Installation requirements

  1. The component needs access to the host api.multifactor.kz via TCP port 443 (TLS) directly or through an HTTP proxy;
  2. The server must be set to the correct time.

Setting up Multifactor

  1. In Multifactor management system add a new resource “Website”, after which the keys API Key and API Secret. Use the JwtHS256 access token format.

Setting up ADFS

  1. Download and extract the archive to the ADFS server.
  2. Edit the configuration file MultiFactor.ADFS.Adapter.dll.config: enter the access keys from your Multifactor personal account
  3. Run the PowerShell script install.ps1 with administrator rights.
  4. Go to the ADFS management console, in the "Authentication methods" -> "Multi-factor Authentication Methods" section, enable the MultiFactor method.
  5. In the Relying Party Trusts section, edit the Access Policy for applications where you need to enable 2FA.

If something doesn't work

  • If errors occur when installing the plugin, check that you are running the installation script as an administrator;
  • To work in a cluster configuration, the component must be installed on all servers in the cluster;
  • Errors related to the operation of the component can be viewed on the ADFS server in the Windows log: in the Applications section with the MultiFactor source, as well as in the ADFS section;
  • If the iframe with the second factor window does not load, and you see an error in the browser console:
Refused to frame 'https://access.multifactor.kz/' because it violates the following
Content Security Policy directive: "default-src 'self'". Note that 'frame-src' was 
not explicitly set, so 'default-src' is used as a fallback."

Then add the domain access.multifactor.kz to the content security policy exceptions, allowing it to open in a frame. This can be done with the following PowerShell command, running as administrator:

Set-AdfsResponseHeaders -SetHeaderName "Content-Security-Policy" `
-SetHeaderValue "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; frame-src access.multifactor.kz"

See also

Last updated on