Authlogics, 12th Floor, Ocean House, The Ring, Bracknell, Berkshire, RG12 1AX, United Kingdom UK Tel: +44 1344 568 900 US Tel: +1 857 214 2174 email: [email protected] web: http://authlogics.com/
Authlogics ADFS Agent
Integration Guide With PINgrid, PINphrase & PINpass Technology
Product Version: 3.0.6230.0
Publication date: January 2017
Page 1
Information in this document, including URL and other Internet Web site references, is subject to change without notice.
Unless otherwise noted, the example companies, organisations, products, domain names, e-mail addresses, logos, people,
places and events depicted herein are fictitious, and no association with any real company, organisation, product, domain
name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable
copyright laws is the responsibility of the user.
Authlogics may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering
subject matter in this document. Except as expressly provided in any written licence agreement from Authlogics, the
furnishing of this document does not give you any licence to these patents, trademarks, copyrights, or other intellectual
property.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
The information contained in this document represents the current view of Authlogics on the issues discussed as of the
date of publication. Because Authlogics must respond to changing market conditions, it should not be interpreted to be a
commitment on the part of Authlogics, and Authlogics cannot guarantee the accuracy of any information presented after
the date of publication.
This document is for informational purposes only. AUTHLOGICS MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS
Document.
Copyright © 2017 Authlogics. All rights reserved.
Page 2
Table of Contents Introduction ............................................................................................................................................ 3
Licensing .............................................................................................................................................. 4
Design and Deployment Scenarios ......................................................................................................... 4
Minimum Requirements ..................................................................................................................... 4
Deployment ............................................................................................................................................ 5
Overview ............................................................................................................................................. 5
Installing/Removing the Authlogics ADFS Agent ................................................................................ 5
Running an installation ................................................................................................................... 5
Running a removal .......................................................................................................................... 7
Configuring the Authlogics ADFS Agent .............................................................................................. 9
Configuring ADFS for Multi-Factor Authentication ............................................................................... 10
Enabling the Authlogics ADFS Agent ................................................................................................. 10
Testing the logon process ................................................................................................................. 11
Customising ADFS Claims .................................................................................................................. 13
Page 3
Introduction Authlogics Authentication Server is a multi-factor authentication system which provides:
Token and token-less multi-factor authentication. Award winning transaction signing / verification technology. Self-service password reset and unlocking. Web Service API and RADIUS interfaces for connectivity. Authentication technologies:
o PINgrid Pattern Based Authentication. o PINphrase Random Character Authentication o PINpass OATH (TOTP) Compliant Authentication
This guide includes details for integrating Authlogics with Active Directory Federation Services
(ADFS) via the web interface. Integrating Authlogics with ADFS is an ideal way to add strong
authentication to Single Sign-on and to secure cloud based applications.
Page 4
Licensing Authlogics ADFS Agent is free of charge however may only be used with a correctly licenced
Authlogics Authentication Server.
Design and Deployment Scenarios The Authlogics ADFS Agent has been designed to be installed directly onto the ADFS server hosting
the web based logon page.
The installation will integrate the agent directly into the ADFS Manage Console UI.
Minimum Requirements The Authlogics ADFS Agent has been designed to work with ADFS 3.0 on Windows Server 2012 R2
only.
Note
For detailed information on the licence types please refer to the licence
agreement document embedded within the installation package.
Page 5
Deployment The following deployment overview walks through the installation process for deploying the
Authlogics ADFS Agent.
Overview This deployment section assumes that at least one Authlogics Authentication Server has already
been installed and is functional. See the Authlogics Authentication Server Installation and
Configuration guide for further information on setting up the Authlogics Authentication Server. In
addition, Authlogics user accounts should already be configured for users.
Installing/Removing the Authlogics ADFS Agent The installation should be performed on the server running the Remote Desktop Web Access role.
Running an installation
(1) To start the Authlogics Windows Desktop Logon Agent installation, run the Authlogics ADFS Agent xxxxx.exe installer with elevated privileges.
(2) Click Next to begin the install or Cancel to quit.
(3) Review the Authlogics Licence Agreement, check the I accept the terms of the licence agreement box and click Next.
Page 6
(4) Enter the FQDN of the Authlogics Authentication Server, click Next.
(5) Click Next to begin the install or Cancel to quit.
The installation is being performed.
Page 7
(6) All necessary Authlogics ADFS Agent files have been installed. Click Finish to complete the installation process.
Running a removal
Uninstalling the Authlogics ADFS Agent does NOT remove the metadata from user accounts in the
Active Directory.
If you no longer require Authlogics ADFS Agent on a server, you can remove it by performing an
uninstall as follows:
(1) To start the Authlogics ADFS Agent un-installation, execute the Authlogics ADFS Agent xxxxx.exe installer or use the Uninstall or change a program
option in Control Panel and click Remove.
(2) Select Uninstall. Click Next to continue.
(3) Click Next to continue.
Page 8
(4) The Authlogics uninstall will remove configured components.
(5) Click Finish to complete the uninstall process.
Page 9
Configuring the Authlogics ADFS Agent Once the agent has been installed, there are a few settings that can be modified to change the
configuration of the agent. These reside in the registry in the following location.
HKEY_LOCAL_MACHINE\SOFTWARE\Authlogics\ADFS Agent\
Page 10
Configuring ADFS for Multi-Factor Authentication Microsoft ADFS 3 has native support for multi-factor authentication via the UI.
Enabling the Authlogics ADFS Agent 1. Click the Edit Global Multi-factor Authentication action in the top right corner.
Page 11
2. Check the “Authlogics ADFS Agent” box to enable it.
3. Choose how/when you would like to use Authlogics Authentication, e.g. by User/Group,
Device or Location.
You can also enable Authlogics Authentication per application via the “Per Relying Party
Trust” section.
4. Click OK when done.
Testing the logon process 1. Open the ADFS logon page URL (e.g. https://fs.authlogics.com/adfs/ls/idpinitiatedsignon)
and enter your username and password as usual.
Page 12
Click Sign in.
2. Enter your One Time Code
Click Sign in.
Page 13
3. You are successfully logon onto ADFS
Customising ADFS Claims The AFDS UI is the first point of call to customising the claims behaviour. You can also make manual
customisations as needed.
A common requirement with AFDS and Multi Factor Authentication with Office 365 is to bypasses
MFA for Exchange Online Autodiscover and ActiveSync services to allow legacy devices to
synchronise which can be set by running the following Powershell script:
$rp = Get-AdfsRelyingPartyTrust –Name "Microsoft Office 365 Identity Platform"
Set-AdfsRelyingPartyTrust –TargetRelyingParty $rp –AdditionalAuthenticationRules 'exists([Type
== "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"]) && NOT
exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-
application", Value=="Microsoft.Exchange.Autodiscover"]) && NOT exists([Type ==
"http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application",
Value=="Microsoft.Exchange.ActiveSync"]) => issue (Type =
"http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value =
"http://schemas.microsoft.com/claims/multipleauthn");'
Further information can be found online about customising ADFS, however the following blog may
be useful: https://blogs.msdn.microsoft.com/ramical/2014/01/30/under-the-hood-tour-on-multi-
factor-authentication-in-adfs-part-1-policy/