Steps to Enable 2FA on top of ADFS Authentication

This guide explains how to enable 2FA using miniOrange as an Identity broker between Dynamic CRM and ADFS.

Step 1: Add ADFS as Identity Provider in miniOrange.

  • Login to miniOrange console and login with your miniOrange Account.
  • In the left navigation bar, click on Identity Provider.
  • identity provider login adfs 2FA

  • Click on Add Identity Provider.
  • add identity provider adfs 2FA

  • Configure ADFS as the Identity Source here by entering all the required values.
  • Login URLhttps://your_adfs_domain/adfs/ls
    IdP Entity IDhttps://your_adfs_domain/adfs/services/trust
    X 509 Certificate
    Identity Provider configurationadfs 2FA

  • Click on Save.

Step 2: Setup miniOrange as a Relying Party Trust in ADFS.

  • Login to ADFS. In ADFS, click on Add Relying party Trust. Then click on Start.
  • add relying party trust adfs 2FA

  • In Select Data Source, Select Enter data about the relying party manually.
  • data add relying party trust adfs 2FA

  • Click Next. In Specify Display name: Enter Display name.
  • adfs display name adfs 2FA

  • Click on Next. Select Enable support for the SAML 2.0 Web SSO protocol.
  • Enter the Relying party SAML 2.0 SSO Service URLas: https://login.xecurify.com/moas/broker/login/saml/acs/{your_customer_id}
    You can find the customer id here:
  • login with adfs 2FA

    customer key adfs 2FA

  • Enter the SSO URL and click on Next.
  • login with adfs 2FA

  • Enter https://login.xecurify.com/moas as an Relying Party Trust Identifier and click on Add.
  • login with adfs 2FA

  • After adding the URL, click on Next. In Configure Multi-factor Authentication Now, select I do not want to configure multi factor authentication settings for this relying party trust. Click Next.
  • In Choose Issuance Authorization Rules, select Permit all users to access this relying party. Click Next.
  • In Ready to Add Trusts, select click Next. After the Relying Party Trust is added, click onEdit Claim Rules.
  • edit claim rules adfs 2FA

  • Click Add rule and then select Send LDAPAttributes as Claims.
  • ldap attributes adfs 2FA

  • Click on Next. Enter the following:
  • Claim rule name Attributes
    Attribute Store Active Directory
    LDAP Attribute E-Mail-Addresses
    Outgoing Claim Type Name ID
    add transform claim rule adfs 2FA

  • Click Finish.

Step 3: Test Connection.

  • Go to Identity Providers tab.
  • identity provider login adfs 2FA

  • Click on Select>>Test Connection option against the Identity Provider you configured.
  • On entering valid ADFS credentials you will see a pop-up window.
  • test config adfs 2FA

  • Hence your configuration of ADFS as IDP in miniOrange is sucesssfully completed.

Step 4: Configure your Application in miniOrange.

  • In the left navigation bar, click on Apps -> Manage Apps.
  • manage apps adfs 2FA

  • Click on Configure Apps.
  • configure apps adfs 2FA

  • Select WS-Federation and add a new Custom WS-Fed App.
  • custom wsfed app adfs 2FA

  • Configure an App name, enter your WT-Realm and Reply URL, and define a policy for the app. Make sure to check Enable Second Factor.
  • wsfed configuration adfs 2FA

    wsfed policy adfs 2FA

  • Click on Save.

Step 5: Configure miniOrange as IdP in SP.

  • Login to your domain as an Account Administrator.
  • Go to Admin and click on Password Management.
  • crm login adfs 2FA

  • Disable the Forgot Password option.
  • Check Enable SAML Authentication and enter the details as shown:
  • enable saml adfs 2FA

    Login URL: Copy the SAML Login URL from the Metadata.
    SLO URL: Copy the SAML Logout URL from the Metadata.
    X509 Certificate: Copy the X.509 Certificate from the Metadata.
  • Click on Save to save the SAML settings.

Step 6: Login with miniOrange.

  • Go to your SP Domain. It will redirect you to miniOrange Single Sign-On Service console.
  • login credentials dashboard adfs 2FA

  • Enter your miniOrange login credentials and click on Login.
  • Since we have Two Factor Authentication enabled, you will be prompted to register for it. It's a one time process.
  • Configure your basic details.
  • user dashboard adfs 2FA

  • Configure any authentication method of your choice.
  • new security system adfs 2FA

  • Configure KBA (Security Questions) as your fallback method.
  • login methods adfs 2FA

  • After successful registration, you will be logged in to your SP account.
  • Now we have Two Factor Authentication enabled.
  • To verify your Two Factor Authentication configuration, go to your SP Domain. You will be redirected to miniOrange login console.
  • credentials dashboard adfs 2FA

  • Enter your login credentials, and click on login. It will prompt to verify yourself against the configured 2FA method.
    e.g. If you have configured OTP over SMS, after login into SP it will prompt for OTP.
  • otp prompt adfs 2FA

  • Enter the OTP received in your phone, after successful 2FA verification, you will be redirected to the SP dashboard.