This guide explains how to enable 2FA using miniOrange as an Identity broker between Dynamic CRM and ADFS.
Step 1: Add ADFS as Identity Provider in miniOrange.
- Login to miniOrange console and login with your miniOrange Account.
- In the left navigation bar, click on Identity Provider.
- Click on Add Identity Provider.
- Configure ADFS as the Identity Source here by entering all the required values.
| Login URL | https://your_adfs_domain/adfs/ls |
| IdP Entity ID | https://your_adfs_domain/adfs/services/trust |
| X 509 Certificate | |
- Click on Save.
Step 2: Setup miniOrange as a Relying Party Trust in ADFS.
- Login to ADFS. In ADFS, click on Add Relying party Trust. Then click on Start.
- In Select Data Source, Select Enter data about the relying party manually.
- Click Next. In Specify Display name: Enter Display name.
- Click on Next. Select Enable support for the SAML 2.0 Web SSO protocol.
- Enter the Relying party SAML 2.0 SSO Service URLas: https://login.xecurify.com/moas/broker/login/saml/acs/{your_customer_id}
You can find the customer id here:
- Enter the SSO URL and click on Next.
- Enter https://login.xecurify.com/moas as an Relying Party Trust Identifier and click on Add.
- After adding the URL, click on Next. In Configure Multi-factor Authentication Now, select I do not want to configure multi factor authentication settings for this relying party trust. Click Next.
- In Choose Issuance Authorization Rules, select Permit all users to access this relying party. Click Next.
- In Ready to Add Trusts, select click Next. After the Relying Party Trust is added, click onEdit Claim Rules.
- Click Add rule and then select Send LDAPAttributes as Claims.
- Click on Next. Enter the following:
| Claim rule name | Attributes |
| Attribute Store | Active Directory |
| LDAP Attribute | E-Mail-Addresses |
| Outgoing Claim Type | Name ID |
- Click Finish.
Step 3: Test Connection.
- Go to Identity Providers tab.
- Click on Select>>Test Connection option against the Identity Provider you configured.
- On entering valid ADFS credentials you will see a pop-up window.
- Hence your configuration of ADFS as IDP in miniOrange is sucesssfully completed.
Step 4: Configure your Application in miniOrange.
- In the left navigation bar, click on Apps -> Manage Apps.
- Click on Configure Apps.
- Select WS-Federation and add a new Custom WS-Fed App.
- Configure an App name, enter your WT-Realm and Reply URL, and define a policy for the app. Make sure to check Enable Second Factor.
- Click on Save.
Step 5: Configure miniOrange as IdP in SP.
- Login to your domain as an Account Administrator.
- Go to Admin and click on Password Management.
- Disable the Forgot Password option.
- Check Enable SAML Authentication and enter the details as shown:
| Login URL: |
Copy the SAML Login URL from the Metadata. |
| SLO URL: |
Copy the SAML Logout URL from the Metadata. |
| X509 Certificate: |
Copy the X.509 Certificate from the Metadata. |
- Click on Save to save the SAML settings.
Step 6: Login with miniOrange.
- Go to your SP Domain. It will redirect you to miniOrange Single Sign-On Service console.
- Enter your miniOrange login credentials and click on Login.
- Since we have Two Factor Authentication enabled, you will be prompted to register for it. It's a one time process.
- Configure your basic details.
- Configure any authentication method of your choice.
- Configure KBA (Security Questions) as your fallback method.
- After successful registration, you will be logged in to your SP account.
- Now we have Two Factor Authentication enabled.
- To verify your Two Factor Authentication configuration, go to your SP Domain. You will be redirected to miniOrange login console.
- Enter your login credentials, and click on login. It will prompt to verify yourself against the configured 2FA method.
e.g. If you have configured OTP over SMS, after login into SP it will prompt for OTP.
- Enter the OTP received in your phone, after successful 2FA verification, you will be redirected to the SP dashboard.
