Active Directory Federation Services (ADFS) is a single sign-on solution for Active Directory that enables users to log in to external systems and applications with their Active Directory credentials. It provides users with a single sign-on experience when they log in to their organization’s web based applications.
With the AuthPoint ADFS agent, you can add multi-factor authentication (MFA) to ADFS for additional security. To do this, you must add an ADFS resource in the AuthPoint management UI and install the ADFS agent on your ADFS server.
To use MFA with ADFS, you must have the AuthPoint Gateway installed. If you have not already installed the AuthPoint Gateway, see About Gateways.
In the AuthPoint management UI:
To use MFA with ADFS, you must have the AuthPoint Gateway installed and you must associate your ADFS resource with the AuthPoint Gateway. The AuthPoint Gateway is the point of communication between AuthPoint and your ADFS server.
If you have not already installed the AuthPoint Gateway, see About Gateways.
To add your ADFS resource to the configuration for your AuthPoint Gateway:
You have successfully associated your ADFS resource with your Gateway. The next step is to download and install the ADFS agent.
You must download the configuration file for the Gateway that your ADFS resource is associated with, then you must download and install the ADFS agent.
Your Gateway must be installed and available when you install the ADFS agent.
After you install the ADFS agent, you must enable MFA in ADFS for specific groups. MFA only works for the users that are a member of the ADFS groups that you select and a member of the AuthPoint groups with an access policy for your ADFS resource.
The steps to enable MFA for ADFS groups are different based on whether you have a Windows 2012r2 server or a Windows 2016 server.
When MFA is configured for ADFS, users must authenticate when they access your organization's web applications. When a user navigates to a web application, they are redirected to the ADFS SSO page where they must provide their AD credentials and authenticate with MFA.
To authenticate through ADFS: