VAM
ADFS 2FA Value-Added Module (VAM) Deployment Guide
2
ADFS 2FA Value-Added Module (VAM) Deployment Guide
SecureAuth www.secureauth.com +1 949-777-6959
Copyright Information
©2018. SecureAuth® is a registered trademark of SecureAuth Corporation. SecureAuth’s IdP software, appliances, and other products and solutions are copyrighted products of SecureAuth Corporation. Version 1.0
Revision History
Version Date Notes
0.1 2017-03-28 Initial draft
1.0 2017-09-27 First version
2.0 2018-07-24 Second version
2.01 2018-08-14 Version table included
2.02 2018-10-04 Additional text included
For information on support for this module, contact your SecureAuth support or sales representative: Email: [email protected]
Phone: +1.949.777.6959 or +1-866- 859-1526 Website: https://www.secureauth.com/support https://www.secureauth.com/contact
3
ADFS 2FA Value-Added Module (VAM) Deployment Guide
SecureAuth www.secureauth.com +1 949-777-6959
Table of Contents
Copyright Information ................................................................................................................................ 2
Table of Contents ........................................................................................................................................ 3
Overview ..................................................................................................................................................... 4
Benefits ....................................................................................................................................................... 4
Installation .................................................................................................................................................. 5
Requirements .......................................................................................................................................... 5
Packaged Installation (.msi) .................................................................................................................... 5
ADFS Configuration ................................................................................................................................... 12
Global-Level Configuration ................................................................................................................... 12
Per Relaying Party Trust ........................................................................................................................ 12
Adaptive Authentication ........................................................................................................................... 13
Use Examples ............................................................................................................................................ 16
Upgrade Information ................................................................................................................................ 18
Conclusion ................................................................................................................................................. 18
4
ADFS 2FA Value-Added Module (VAM) Deployment Guide
SecureAuth www.secureauth.com +1 949-777-6959
Overview This guide contains information on how to install the SecureAuth ADFS Two-Factor Adapter Value-Added Module (VAM) and how to configure it for use in an ADFS 3.0 environment. The SecureAuth ADFS Two-Factor Adapter is a Multi-Factor Authentication Provider that uses the SecureAuth Authentication APIs to send One-Time Passwords (OTPs) for use in authentication by an ADFS Federated application. The SecureAuth ADFS Two-Factor VAM enables current ADFS customers to add strong authentication to their existing ADFS integrations. Many customers have comprehensive ADFS implementations that provide the convenience of SSO access but lack strong security, thereby putting all their applications at risk from a single breach. With this add-on module, Push-to-accept, SMS, voice, email, KBQ, and OATH authentication can be enabled as well as advanced IP threat analysis. This version of the VAM also includes strong support for Adaptive Authentication in addition to digital fingerprinting. Many customers employ this tool when converting their SSO-available applications (using SSO standards such as SAML and WS-Federation) from the ADFS to SecureAuth IdP platform. ADFS SAM secures their applications before they are migrated to a single SecureAuth platform – which greatly simplifies administration. Integrating with ADFS using SecureAuth’s Two-Factor Authentication (2FA) can be challenging when pure Federation protocols like SAML or WS-Federated are employed. The ADFS Two-Factor module was created to enable SecureAuth Two-Factor integration, and enable a migration strategy that moves away from ADFS. In many cases, our customers have a large customer base that currently utilizes ADFS; however, they quickly realize that ADFS does not provide the security needed for today’s hazardous environment. But while needing to migrate away from ADFS, the customer soon learns that they have too many applications to do this all at once. The ADFS Two-Factor Module overcomes this obstacle, by enabling ADFS- dependent applications and data to support SecureAuth 2FA through our API command structure. SecureAuth has created a full 2FA interface directly into ADFS. This gives the customer an easy and straightforward path to moving their applications to SecureAuth federation, while still protecting applications behind ADFS.
Benefits + Can be used as a bridge while migrating federated apps to SecureAuth IdP
+ Support for SMS, Phone, Email, and Push-2-Accept 2FA selections
+ Supports Digital Fingerprint capabilities
+ Supports Adaptive Authentication
+ Support for ADFS direct integration
+ Supports knowledge-based questions and answers (KBQ/KBA)
5
ADFS 2FA Value-Added Module (VAM) Deployment Guide
SecureAuth www.secureauth.com +1 949-777-6959
Installation Installation entails the following steps: + Requirements
+ Packaged Installation
Requirements The SecureAuth adapter requires a valid configuration of the SecureAuth Authentication API to be installed in a single realm on your SecureAuth IdP. To configure the Authentication API, follow the instructions provided in: https:// docs.secureauth.com/x/WQABAg.
Packaged Installation (.msi) Because of the nature of ADFS, and how tightly coupled it is to the core operating system, the
TwoFactorAdapterSetup.msi must be run as an administrator.
1. Open a command prompt window as an administrator.
a. Click Start, click All Programs, and then click Accessories.
b. Right-click Command prompt, and then click Run as administrator.
c. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
2. Use cd to change directory to the directory where the unzipped archive resides (such as, cd C:\Temp\SecureAuthADFSTwoFactorAdapter)
3. Launch the installation by typing: SecureAuthAdapterSetup.msi. Three versions of the ADFS 2FA VAM are currently available:
VAM Version Description
2.17 Added Digital Fingerprinting
Added Push-To-Accept feature for MFA
Changed Logging options to include None, Detailed, and Sensitive
Supports IdP versions 9.1 and earlier
3.0 Incorporates Threat Intel
Supports IdP Version 9.2
3.0.0.1 Fix to improve IE browser compatibility
6
ADFS 2FA Value-Added Module (VAM) Deployment Guide
SecureAuth www.secureauth.com +1 949-777-6959
A screen like Figure 1 appears.
FIGURE 1. Two-Factor Adapter Setup Welcome Screen
4. Click the Next button to
continue. A screen like
Figure 2 appears:
FIGURE 2. Adapter Setup EULA Screen
5. Read and Accept the SecureAuth License Agreement then click Next.
7
ADFS 2FA Value-Added Module (VAM) Deployment Guide
SecureAuth www.secureauth.com +1 949-777-6959
A screen like Figure 3 appears:
FIGURE 3. Install Settings Screen
6. By default, the location for the SecureAuth Adapter installation is C:\Windows\ADFS\SecureAuthAdapter\ which is the install base for ADFS.
If the ADFS server you are installing to is the primary or first ADFS server on which the adapter is being installed, check the Register SecureAuthADFSAdapter as an Authentication Provider in ADFS box.
7. Click Next to Continue.
8
ADFS 2FA Value-Added Module (VAM) Deployment Guide
SecureAuth www.secureauth.com +1 949-777-6959
The example shown in Figure 4 appears:
FIGURE 4. SecureAuthAdapter Configuration
9
ADFS 2FA Value-Added Module (VAM) Deployment Guide
SecureAuth www.secureauth.com +1 949-777-6959
8. Fill out the adapter configuration fields based on your needs. See below for definitions of each field.
Adapter Name The name used when registering the adapter to ADFS.
Enable Logs Enable text-based logs residing in the secureauthadapter/logs/ folder. This allows both detailed and sensiive levels of logging: + Detailed: detailed logging to assist with troubleshooting + Sensitive: more sensitive information is logged such as IP addresses, usernames, and OTP codes entered.
Management UI Friendly Name The name that will appear in the ADFS management MMC.
AppID The SecureAuth authentication API appID from the SA appliance.
AppKey The SecureAuth authentication API appkey from the SecureAuth appliance
SecureAuth Realm URL The URL to the SecureAuth Realm configured for Authentication API.
Use SAMAccountName If required, this setting will attempt to use the SAMAccountName to make the API calls.
Phone Image Url URL to the image for the phone two-factor method (detailed below).
SMS Image Url URL to the image for the SMS two-factor method (detailed below).
Email Image URL URL to the image for the email two-factor method (detailed below).
KBQ Image Url URL to the image for the KBQ two-factor method (detailed below).
HelpDesk Image Url URL to the image for the HelpDesk two-factor method (detailed below).
OATH Image Url URL to the image for the OATH OTP two-factor method (detailed below).
Progress GIF Url URL to the gif for the progress wheel (detailed below).
Disable SSL ONLY USE IN TESTING. Disables SSL checks to the Authentication API.
10
ADFS 2FA Value-Added Module (VAM) Deployment Guide
SecureAuth www.secureauth.com +1 949-777-6959
9. Click Next to Continue. A screen like Figure 5 appears.
FIGURE 5. Installing SecureAuth Two-Factor Adapter Setup
10. Once the installation finishes, you can exit the installer.
11. Navigate to the C:\Windows\ADFS\SecureAuthAdapter\Images\ directory.
If you have not already transferred the images to the \Images\ subfolder, copy the required images from the \adfs2images folder (this folder should reside at a location on the machine such as C:\adfs2images) to the C:\Windows\ADFS\SecureAuthAdapter\Images\ directory. Make sure you map the physical path correctly.
12. Copy the images located in the required \Images subdirectory to the URL corresponding to the defined Image URL as specified in Step 8.
For each of the image URLs, refer to the full http path of the images you placed on the machine (for example, https://secureAuthIdp.sacustom.local/adfsimages/ ).
13. After the plug-in has been installed successfully, do the following:
a. Navigate to the C:\\Windows\ADFS\SecureAuthAdapter directory.
b. Right-click on the Logs folder and select Properties.
c. At the Logs Properties sheet, select the Security tab then click Edit to change permissions.
d. At the Permissions for Logs property sheet, click Add.
e. At the Select Users, Computers, Service Accounts, or Groups dialog box, make sure the correct security permissions are enabled as shown in the example in Figure 6.
NOTE: If the correct image does not appear on the corresponding 2FA page, make sure you have mapped the proper image to the proper URL as outlined in
Steps 8-12.
11
ADFS 2FA Value-Added Module (VAM) Deployment Guide
SecureAuth www.secureauth.com +1 949-777-6959
FIGURE 6. Log File Permissions Form
12
ADFS 2FA Value-Added Module (VAM) Deployment Guide
SecureAuth www.secureauth.com +1 949-777-6959
ADFS Configuration ADFS can be configured to apply either multi-factor authentication at a global level, or to specific Relaying Party Trusts. Each of these applications is described in the following subsections.
Global-Level Configuration By default, the package installation will configure both the Intranet and Extranet zones to use Multi-Factor Authentication (MFA). To do this:
1. Launch the ADFS Management MMC.
2. Click on the Authentication Policies container in the navigation pane to the left.
3. Click on the Edit link under Multi-Factor Authentication.
4. Define what requirements will be used to determine if the authentication request will require MFA. You can specify specific user and groups, device types, or locations. By default the package installation will set both Extranet and Intranet as protected by MFA.
5. Make sure that the SecureAuthAdapter is checked in the authentication providers at the bottom of the properties window.
6. Click Apply and OK to save the settings for ADFS.
Per Relaying Party Trust To apply MFA for ADFS per relaying party trust, perform the following steps:
1. Launch the ADFS Management MMC.
2. Expand the Authentication Policies container and click on Per Relaying Party Trust in the navigation pane to the left.
3. Click the specific Relaying Party Trust you want to add MFA to then click on Edit Custom Multi-Factor Authentication in the Action pane to the right.
4. Define what requirements will be used to determine if the Authentication requests for this Relaying Party Trust will require Multi-Factor Authentication.
NOTE: You must remove any Global settings for MFA requirements to set specific Per Relaying Party Trust methods. When removing the requirements, be sure
not to uncheck the SecureAuth Adapter from the authentication providers. To do this, refer to the steps below.
13
ADFS 2FA Value-Added Module (VAM) Deployment Guide
SecureAuth www.secureauth.com +1 949-777-6959
Adaptive Authentication With the advent of the latest version of the ADFS 2FA VAM, this VAM now supports SecureAuth IdP’s digital fingerprinting and adaptive authentication. This enables ADFS applications to run adaptive authentication routines behind the scenes to verify the requester before a passcode routine screen appears to start the second authentication step. In reality this means that after correctly signing in with a password on a screen like Figure 7,
FIGURE 7. Password Sign In
there is an authentication performed before the next screen appears like Figure 8:
FIGURE 8. Pin Code Selection Example
14
ADFS 2FA Value-Added Module (VAM) Deployment Guide
SecureAuth www.secureauth.com +1 949-777-6959
The adaptive authentication that occurs is determined by the Adaptive Authentication page on the SecureAuth IdP Web Admin Console, like this example:
FIGURE 9. IP Reputation/Threat Data Page (9.2 version)
The use of both digital fingerprinting and adaptive authentication are transparent to users; they are only aware of failing a test when a screen other than the anticipated one appears. The normal flow of this adaptive authentication test depends on the values you enter on the enabled ‘Threat Services’ section as shown in Figure 9. An example of the decision flow made possible by settings in this section are shown in Figure 10.
15
ADFS 2FA Value-Added Module (VAM) Deployment Guide
SecureAuth www.secureauth.com +1 949-777-6959
If Threat Intel Result Action is:
If Successful
DFP Not Found
DFP Found
FIGURE 10. Threat Services Workflow For information on using SecureAuth IdP Adaptive Authentication refer to: + Adaptive Authentication Tab Configuration For information on using Digital Fingerprinting, refer to: + Device Recognition
Redirect Redirect to URL
specified by API realm
(a warning page)
Skip 2FA
Set Claim without 2FA
Already
Authenticated
Set Claim without 2FA
Hard Stop Stops workflow and
Go through 2FA
Go thru 2FA
Check for DFP
Continue
Set Digital Fingerprinting
(DFP)
Set Claim
16
ADFS 2FA Value-Added Module (VAM) Deployment Guide
SecureAuth www.secureauth.com +1 949-777-6959
Use Examples The adapter will be used for the defined requirements on the Global scale or at the specific Per Relaying Party Trust. It will be prompted at either SP-Initiated or IdP-Initiated login attempts at ADFS. Figure 11 illustrates an example of an IdP-Initiated login request.
17
ADFS 2FA Value-Added Module (VAM) Deployment Guide
SecureAuth www.secureauth.com +1 949-777-6959
FIGURE 11. Use Example Flowchart
18
ADFS 2FA Value-Added Module (VAM) Deployment Guide
SecureAuth www.secureauth.com +1 949-777-6959
Upgrade Information Please contact [email protected] before modifying your SecureAuth IdP with any updates that might affect this VAM.
Conclusion If these steps are followed properly, the installation of this module enables seamless OTP authentication of ADFS applications by SecureAuth IdP.