Two Factor Authentication

Steps to enable 2FA on top of ADFS Authentication

0 views November 29, 2018 December 10, 2018 0

This guide explains how to enable 2FA using miniOrange as an Identity broker between Dynamic CRM and ADFS.

  1. Add ADFS as Identity Source in miniOrange.
      • Login to miniOrange console and login with your miniOrange Account.
      • In the left navigation bar, click on Identity Sources.

      • Click on Add Identity Source.

      • Configure ADFS as the Identity Source here by entering all the required values.
        • Login URL:https:///adfs/ls
        • IdP Entity ID:http:///adfs/services/trust
        • X 509 Certificate:

    • Click on Save.
  2. miniOrange as a Relying Party Trust in ADFS.
      • Login to ADFS. In ADFS, click on Add Relying party Trust. Then click on Start.

      • In Select Data Source, Select Enter data about the relying party manually.

      • Click Next. In Specify Display name: Enter Display name.

      • Click Next. Select ADFS profile.

      • Click on Next. Select Enable support for the SAML 2.0 Web SSO protocol.
      • Enter the Relying party SAML 2.0 SSO Service URLas: https://auth.miniorange.com/moas/broker/login/saml/acs/{your_customer_id}

        You can find the customer id here:

      • Enter the SSO URL and click on Next.

      • Enter https://auth.miniorange.com/moas asanRelying Party Trust Identifier and click on Add.

      • After adding the URL, click on Next. In Configure Multi-factor Authentication Now, select I do not want to configure multi factor
        authentication settings for this relying party trust. Click Next.
      • In ChooseIssuance Authorization Rules, select Permit all users to access this relying party. Click Next.
      • In Ready to Add Trusts, select click Next. After the Relying Party Trust is added, click onEdit Claim Rules.

      • Click Add rule and then select Send LDAPAttributes as Claims.

      • Click on Next. Enter the following:
        • Claim rule name: Attributes
        • Attribute Store: Active Directory
        • LDAP Attribute: E-Mail-Addresses
        • Outgoing Claim Type: Name ID

    • Click Finish.
  3. Create an SP App for your SP (Dynamics CRM) in miniOrange.
      • In the left navigation bar, click on Apps -> Manage Apps.

      • Click on Configure Apps.

      • Select WS-Federation and add a new Custom WS-Fed App.

      • Configure an App name, enter your WT-Realm and Reply URL, and define a policy for the app. Make sure to check Enable Second Factor.

    • Click on Save.
  4. Configure miniOrange as an Identity Source in the SP (Dynamics CRM).
      • You can find the necessary details ( Certificate / WT-Realm / Reply URL) in the Metadata link of the app you configured in Step 3.

      • Use these values to configure miniOrange as the identity Source in your SP (Dynamics CRM).
      • After these steps are completed, when the user logs in from the SP (Dynamics CRM), he will be asked to authenticate himself with the AD credentials.

      • The user will be prompted for inline registration with miniOrange.

      • The user will be asked to set up his 2FA after this step. He can configure the authentication method he wishes to use.

      • After this, he can setup his KBA (Security Questions) as his backup 2FA method that he can use in case his phone is lost or not with him.

      • After this initial registration setup is done, and after the 2-factor has been setup successfully, the user will be prompted for the 2-factor method he configured every time he logs in.

    • Post successful authentication, he will be logged in to the SP.