Two Factor Authentication

Steps to enable 2FA on top of ADFS Authentication

0 views November 29, 2018 August 22, 2019 0

This guide explains how to enable 2FA using miniOrange as an Identity broker between Dynamic CRM and ADFS.

  1. Add ADFS as Identity Source in miniOrange.
    • Login to miniOrange console and login with your miniOrange Account.
    • In the left navigation bar, click on Identity Sources.

    • Click on Add Identity Source.

    • Configure ADFS as the Identity Source here by entering all the required values.
      • Login URL:https:///adfs/ls
      • IdP Entity ID:http:///adfs/services/trust
      • X 509 Certificate:

    • Click on Save.
    • miniOrange as a Relying Party Trust in ADFS.
    • Login to ADFS. In ADFS, click on Add Relying party Trust. Then click on Start.

    • In Select Data Source, Select Enter data about the relying party manually.

    • Click Next. In Specify Display name: Enter Display name.

    • Click Next. Select ADFS profile.
    • Click on Next. Select Enable support for the SAML 2.0 Web SSO protocol.
    • Enter the Relying party SAML 2.0 SSO Service URLas: https://login.xecurify.com/moas/broker/login/saml/acs/{your_customer_id}
      You can find the customer id here:


    • Enter the SSO URL and click on Next.
    • Enter https://login.xecurify.com/moas asanRelying Party Trust Identifier and click on Add.

    • After adding the URL, click on Next. In Configure Multi-factor Authentication Now, select I do not want to configure multi factor authentication settings for this relying party trust. Click Next.
    • In ChooseIssuance Authorization Rules, select Permit all users to access this relying party. Click Next.
    • In Ready to Add Trusts, select click Next. After the Relying Party Trust is added, click onEdit Claim Rules.
    • Click Add rule and then select Send LDAPAttributes as Claims.

    • Click on Next. Enter the following:
      • Claim rule name: Attributes
      • Attribute Store: Active Directory
      • LDAP Attribute: E-Mail-Addresses
      • Outgoing Claim Type: Name ID
    • Click Finish.
    • Create an SP App for your SP (Dynamics CRM) in miniOrange.
    • In the left navigation bar, click on Apps -> Manage Apps.
    • Click on Configure Apps.
    • Select WS-Federation and add a new Custom WS-Fed App.
    • Configure an App name, enter your WT-Realm and Reply URL, and define a policy for the app. Make sure to check Enable Second Factor.

    • Click on Save.
    • Configure miniOrange as an Identity Source in the SP (Dynamics CRM).
    • You can find the necessary details ( Certificate / WT-Realm / Reply URL) in the Metadata link of the app you configured in Step 3.


    • Use these values to configure miniOrange as the identity Source in your SP (Dynamics CRM).
    • After these steps are completed, when the user logs in from the SP (Dynamics CRM), he will be asked to authenticate himself with the AD credentials.
    • The user will be prompted for inline registration with miniOrange.
    • The user will be asked to set up his 2FA after this step. He can configure the authentication method he wishes to use.
    • After this, he can setup his KBA (Security Questions) as his backup 2FA method that he can use in case his phone is lost or not with him.
    • After this initial registration setup is done, and after the 2-factor has been setup successfully, the user will be prompted for the 2-factor method he configured every time he logs in.
    • Post successful authentication, he will be logged in to the SP.