Steps to enable 2FA on top of ADFS Authentication

This guide explains how to enable 2FA using miniOrange as an Identity broker between Dynamic CRM and ADFS.

1. Add ADFS as Identity Source in miniOrange.
   • Login to miniOrange console and login with your miniOrange Account.
   • In the left navigation bar, click on Identity Sources.
   
   • Click on Add Identity Source.
   
   • Configure ADFS as the Identity Source here by entering all the required values.

   Login URL	https:///adfs/ls
   IdP Entity ID	http:///adfs/services/trust
   X 509 Certificate

   
   • Click on Save.
   • miniOrange as a Relying Party Trust in ADFS.
   • Login to ADFS. In ADFS, click on Add Relying party Trust. Then click on Start.
   
   • In Select Data Source, Select Enter data about the relying party manually.
   
   • Click Next. In Specify Display name: Enter Display name.
   
   • Click Next. Select ADFS profile.
   
   • Click on Next. Select Enable support for the SAML 2.0 Web SSO protocol.
   • Enter the Relying party SAML 2.0 SSO Service URLas: https://login.xecurify.com/moas/broker/login/saml/acs/{your_customer_id} You can find the customer id here:
   
   • Enter the SSO URL and click on Next.
   
   • Enter https://login.xecurify.com/moas asanRelying Party Trust Identifier and click on Add.
   
   • After adding the URL, click on Next. In Configure Multi-factor Authentication Now, select I do not want to configure multi factor authentication settings for this relying party trust. Click Next.
   • In ChooseIssuance Authorization Rules, select Permit all users to access this relying party. Click Next.
   • In Ready to Add Trusts, select click Next. After the Relying Party Trust is added, click onEdit Claim Rules.
   
   • Click Add rule and then select Send LDAPAttributes as Claims.
   
   • Click on Next. Enter the following:

   Claim rule name	Attributes
   Attribute Store	Active Directory
   LDAP Attribute	E-Mail-Addresses
   Outgoing Claim Type	Name ID

   
   • Click Finish.
   • Create an SP App for your SP (Dynamics CRM) in miniOrange.
   • In the left navigation bar, click on Apps -> Manage Apps.
   
   • Click on Configure Apps.
   
   • Select WS-Federation and add a new Custom WS-Fed App.
   
   • Configure an App name, enter your WT-Realm and Reply URL, and define a policy for the app. Make sure to check Enable Second Factor.
   
   • Click on Save.
   • Configure miniOrange as an Identity Source in the SP (Dynamics CRM).
   • You can find the necessary details ( Certificate / WT-Realm / Reply URL) in the Metadata link of the app you configured in Step 3.
   
   • Use these values to configure miniOrange as the identity Source in your SP (Dynamics CRM).
   • After these steps are completed, when the user logs in from the SP (Dynamics CRM), he will be asked to authenticate himself with the AD credentials.
   
   • The user will be prompted for inline registration with miniOrange.
   
   • The user will be asked to set up his 2FA after this step. He can configure the authentication method he wishes to use.
   
   • After this, he can setup his KBA (Security Questions) as his backup 2FA method that he can use in case his phone is lost or not with him.
   
   • After this initial registration setup is done, and after the 2-factor has been setup successfully, the user will be prompted for the 2-factor method he configured every time he logs in.
   
   • Post successful authentication, he will be logged in to the SP.