Steps to enable 2FA on top of ADFS Authentication

Steps to enable 2FA on top of ADFS Authentication

This guide explains how to enable 2FA using miniOrange as an Identity broker between Dynamic CRM and ADFS.

  1. Add ADFS as Identity Source in miniOrange.
    • Login to miniOrange console and login with your miniOrange Account.
    • In the left navigation bar, click on Identity Sources.
    • 2FA Identity Source
    • Click on Add Identity Source.
    • 2FA add Identity source
    • Configure ADFS as the Identity Source here by entering all the required values.
    • Login URLhttps:///adfs/ls
      IdP Entity IDhttp:///adfs/services/trust
      X 509 Certificate
      2FA adfs value
    • Click on Save.
    • miniOrange as a Relying Party Trust in ADFS.
    • Login to ADFS. In ADFS, click on Add Relying party Trust. Then click on Start.
    • 2FA party trust
    • In Select Data Source, Select Enter data about the relying party manually.
    • 2FA party manually
    • Click Next. In Specify Display name: Enter Display name.
    • 2FA Specify display
    • Click Next. Select ADFS profile.
    • 2FA adfs profile
    • Click on Next. Select Enable support for the SAML 2.0 Web SSO protocol.
    • Enter the Relying party SAML 2.0 SSO Service URLas: https://login.xecurify.com/moas/broker/login/saml/acs/{your_customer_id} You can find the customer id here:
    • 2FA customer id 2FA service url
    • Enter the SSO URL and click on Next.
    • 2FA sso url
    • Enter https://login.xecurify.com/moas asanRelying Party Trust Identifier and click on Add.
    • 2FA identifier
    • After adding the URL, click on Next. In Configure Multi-factor Authentication Now, select I do not want to configure multi factor authentication settings for this relying party trust. Click Next.
    • In ChooseIssuance Authorization Rules, select Permit all users to access this relying party. Click Next.
    • In Ready to Add Trusts, select click Next. After the Relying Party Trust is added, click onEdit Claim Rules.
    • 2FA claim rules
    • Click Add rule and then select Send LDAPAttributes as Claims.
    • 2FA LDAPAttribute
    • Click on Next. Enter the following:
    • Claim rule name Attributes
      Attribute Store Active Directory
      LDAP Attribute E-Mail-Addresses
      Outgoing Claim Type Name ID
      2FA attribute values
    • Click Finish.
    • Create an SP App for your SP (Dynamics CRM) in miniOrange.
    • In the left navigation bar, click on Apps -> Manage Apps.
    • 2FA navigation bar
    • Click on Configure Apps.
    • 2FA configure app
    • Select WS-Federation and add a new Custom WS-Fed App.
    • 2FA WS-Fed App
    • Configure an App name, enter your WT-Realm and Reply URL, and define a policy for the app. Make sure to check Enable Second Factor.
    • 2FAWT-Realm
    • Click on Save.
    • Configure miniOrange as an Identity Source in the SP (Dynamics CRM).
    • You can find the necessary details ( Certificate / WT-Realm / Reply URL) in the Metadata link of the app you configured in Step 3.
    • 2FA metadata link 2FA Certificates
    • Use these values to configure miniOrange as the identity Source in your SP (Dynamics CRM).
    • After these steps are completed, when the user logs in from the SP (Dynamics CRM), he will be asked to authenticate himself with the AD credentials.
    • 2FA AD credentials
    • The user will be prompted for inline registration with miniOrange.
    • 2FA registration miniorange
    • The user will be asked to set up his 2FA after this step. He can configure the authentication method he wishes to use.
    • 2FA authentication method
    • After this, he can setup his KBA (Security Questions) as his backup 2FA method that he can use in case his phone is lost or not with him.
    • 2FA KBA
    • After this initial registration setup is done, and after the 2-factor has been setup successfully, the user will be prompted for the 2-factor method he configured every time he logs in.
    • 2FA configuration
    • Post successful authentication, he will be logged in to the SP.