Steps to Enable 2FA on top of ADFS Authentication

Steps to Enable 2FA on top of ADFS Authentication


The miniOrange ADFS MFA connector helps you to enable Two Factor Authentication (2FA) for your users to protect the access to Microsoft Active Directory Federation Services (ADFS) by adding a second layer of authentication challenge to existing username and password of ADFS Deployment. This extra layer prevents the unauthorized person from accessing the resources even if cyber attackers get to know your credentials.


ADFS SSO Authentication Flow with miniOrange MFA Connector:

2FA Two Factor Authentication for ADFS Radius Client VPN :Authentication Flow

  • A user attempts access to ADFS protected service with username / password.
  • The username / password is verified against an existing first factor directory (i.e. Active Directory)
  • Once the user's first level of authentication gets validated ADFS sends the confirmation to miniOrange RADIUS Server.
  • Now miniOrange RADIUS Server asks for a 2-factor authentication challenge to the user.
  • Here user submits the response/code which he receives on his hardware/phone.
  • User response is checked at miniOrange’s RADIUS Server side.
  • On successful 2nd factor authentication the user is granted access to login.

Step 1: Add Radius Client in miniOrange

  • Login into miniOrange Admin Console.
  • Click on Customization in the left menu of the dashboard.
  • In Basic Settings, set the Organization Name as the custom_domain name.
  • Click Save
  • . Once that is set, the branded login URL would be of the format https://{custom_domain}.xecurify.com/moas/login 2FA Two Factor Authentication for ADFS Radius Client VPN : Setting up branding

  • Go to Apps, click on Add Application button.
  • 2FA Two Factor Authentication for ADFS Radius Client VPN : Add AWS Client VPN Radius Application

  • Choose RADIUS as Application type and click on Create App button.
  • 2FA Two Factor Authentication for ADFS Radius Client VPN : Create Radius Application

  • Click on Radius Client application tab.
  • 2FA Two Factor Authentication for ADFS Radius Client VPN : Select your Radius Client

  • Configure the below details to add Radius Client.
  • Client Name: Any name for your reference.
    Client IP: IP address of ADFS server which will send Radius authentication request.
    Shared Secret: Security key.
    For Eg. "sharedsecret"
    (Keep this with you, you will need to configure same on ADFS Server).
  • Configure the following Policy details for the Radius Client.
  • Group Name: Group for which the policy will apply.
    Policy Name: Any Identifier that specifies policy name.
    Login Method OTP/Push/Mobile Token (Password-Less Login)
  • After configuring the given above details, Click on Save button.
  • 2FA Two Factor Authentication for ADFS Radius Client VPN : Configure AWS VPN Client App

  • Copy and save the Radius server IPs which will be required to configure your Radius client.
  • 2FA Two Factor Authentication for ADFS Radius Client VPN : RADIUS Server IPs

    NOTE: For On-Premise version follow the below steps before testing the connectivity.

    Only For On-Premise Version

    Open Firewall Ports.

  • In order to receive the RADIUS request, it is necessary to open UDP traffic on ports 1812 and 1813 for the machine where On-Premise IdP is deployed.
  • If the hosting machine is a Windows Machine then you can follow this document.
  • If the hosting machine is a Linux Machine then you can follow this document.
    NOTE: If your machine is hosted on AWS, then enable the ports from the AWS panel.

Step 2: Install miniOrange ADFS MFA Adapter

  • Download miniOrange MFA Adapter from here.
  • Add the Radius Server details along with the secret in Install.ps1 file.
    1. Replace {RADIUS Server IP} and {SharedSecret} with the Radius server IP and shared secret that was used in Step 1.
    add relying party trust adfs 2FA

  • Run the Install.ps1 file on ADFS server in administrator mode.
  • Press Y to continue registration.
  • adfs display name adfs 2FA

  • Restart the ADFS service using the following command:
    1. Net stop adfssrv
    2. Net start adfssrv
  • Edit the access control policy for the already added Relying Party Trust or any Application Group and select Permit everyone and require MFA to enable mfa after login.
  • login with adfs 2FA

  • Go to Authentication methods > Edit Multi Factor Authentication and select Radius Authentication Adapter. Apply the settings.
  • login with adfs 2FA


User Experience

After entering the username and password into the AD FS login, user will be prompted for 2 factor method which is already configured for the user or set as default by the admin. Once the 2 factor gets authenticated, the user gets signed in.

credentials dashboard adfs 2FA

Steps to Unregister the Radius Authentication Adapter
  • Open Powershell on ADFS server in administrator mode.
  • Use the command to Unregister the adapter:
    Unregister-AdfsAuthenticationProvider -Name "RadiusAuthenticationAdapter"
  • Restart the adfs service using the following command:
    • Net stop adfssrv
    • Net start adfssrv

    You have successfully enabled the Two-Factor Authentication (2FA) by using miniOrange ADFS MFA Connector.



    External References
    Hello there!

    Need Help? We are right here!

    support
    Contact miniOrange Support
    success

    Thanks for your inquiry.

    If you dont hear from us within 24 hours, please feel free to send a follow up email to info@xecurify.com