Steps to Enable 2FA on top of ADFS Authentication

Steps to Enable 2FA on top of ADFS Authentication

This guide explains how to enable 2FA using miniOrange as an Identity broker between Dynamic CRM and ADFS.

Step 1: Add ADFS as Identity Provider in miniOrange.

  • Login to miniOrange console and login with your miniOrange Account.
  • In the left navigation bar, click on Identity Provider.
  • 2FA Identity Provider

  • Click on Add Identity Provider.
  • 2FA Add Identity Provider

  • Configure ADFS as the Identity Source here by entering all the required values.
  • Login URLhttps:///adfs/ls
    IdP Entity IDhttps:///adfs/services/trust
    X 509 Certificate
    2FA Configure Identity Provider

  • Click on Save.

Step 2: Setup miniOrange as a Relying Party Trust in ADFS.

  • Login to ADFS. In ADFS, click on Add Relying party Trust. Then click on Start.
  • 2FA party trust

  • In Select Data Source, Select Enter data about the relying party manually.
  • 2FA party manually

  • Click Next. In Specify Display name: Enter Display name.
  • 2FA Specify display

  • Click Next. Select ADFS profile.
  • 2FA adfs profile

  • Click on Next. Select Enable support for the SAML 2.0 Web SSO protocol.
  • Enter the Relying party SAML 2.0 SSO Service URLas: https://login.xecurify.com/moas/broker/login/saml/acs/{your_customer_id}
    You can find the customer id here:
  • 2FA customer id

    2FA service url

  • Enter the SSO URL and click on Next.
  • 2FA sso url

  • Enter https://login.xecurify.com/moas asanRelying Party Trust Identifier and click on Add.
  • 2FA identifier

  • After adding the URL, click on Next. In Configure Multi-factor Authentication Now, select I do not want to configure multi factor authentication settings for this relying party trust. Click Next.
  • In ChooseIssuance Authorization Rules, select Permit all users to access this relying party. Click Next.
  • In Ready to Add Trusts, select click Next. After the Relying Party Trust is added, click onEdit Claim Rules.
  • 2FA claim rules

  • Click Add rule and then select Send LDAPAttributes as Claims.
  • 2FA LDAPAttribute

  • Click on Next. Enter the following:
  • Claim rule name Attributes
    Attribute Store Active Directory
    LDAP Attribute E-Mail-Addresses
    Outgoing Claim Type Name ID
    2FA attribute values

  • Click Finish.

Step 3: Setup miniOrange as a Relying Party Trust in ADFS.

  • Go to Identity Providers tab.
  • 2FA Identity Provider

  • Click on Select>>Test Connection option against the Identity Provider you configured.
  • On entering valid ADFS credentials you will see a pop-up window.
  • 2FA Identity Provider Test

  • Hence your configuration of ADFS as IDP in miniOrange is sucesssfully completed.

Step 4: Configure your Application in miniOrange.

  • In the left navigation bar, click on Apps -> Manage Apps.
  • 2FA Manhage Apps

  • Click on Configure Apps.
  • 2FA Configure Apps

  • Select WS-Federation and add a new Custom WS-Fed App.
  • 2FA WS-Fed App

  • Configure an App name, enter your WT-Realm and Reply URL, and define a policy for the app. Make sure to check Enable Second Factor.
  • Configure App

    Configure App

  • Click on Save.

Step 5: Configure miniOrange as IdP in SP.

  • Login to your domain as an Account Administrator.
  • Go to Admin and click on Password Management.
  • 2FA metadata link

  • Disable the Forgot Password option.
  • Check Enable SAML Authentication and enter the details as shown:
  • 2FA AD credentials

    Login URL: Copy the SAML Login URL from the Metadata.
    SLO URL: Copy the SAML Logout URL from the Metadata.
    X509 Certificate: Copy the X.509 Certificate from the Metadata.
  • Click on Save to save the SAML settings.

Step 6: Login with miniOrange.

  • Go to your SP Domain. It will redirect you to miniOrange Single Sign-On Service console.
  • 2FA registration miniorange

  • Enter your miniOrange login credentials and click on Login.
  • Since we have Two Factor Authentication enabled, you will be prompted to register for it. It's a one time process.
  • Configure your basic details.
  • 2FA registration miniorange

  • Configure any authentication method of your choice.
  • 2FA authentication method

  • Configure KBA (Security Questions) as your fallback method.
  • 2FA KBA

  • After successful registration, you will be logged in to your SP account.
  • Now we have Two Factor Authentication enabled.
  • To verify your Two Factor Authentication configuration, go to your SP Domain. You will be redirected to miniOrange login console.
  • 2FA registration miniorange

  • Enter your login credentials, and click on login. It will prompt to verify yourself against the configured 2FA method.
    e.g. If you have configured OTP over SMS, after login into SP it will prompt for OTP.
  • 2FA configuration

  • Enter the OTP received in your phone, after successful 2FA verification, you will be redirected to the SP dashboard.