Authlogics, 12th Floor, Ocean House, The Ring, Bracknell, Berkshire, RG12 1AX, United Kingdom UK Tel: +44 1344 568 900 US Tel: +1 857 214 2174 email: info@authlogics.com web: http://authlogics.com/

Authlogics ADFS Agent

Integration Guide With PINgrid, PINphrase & PINpass Technology

Product Version: 3.0.6230.0

Publication date: January 2017

Page 1

Information in this document, including URL and other Internet Web site references, is subject to change without notice.

Unless otherwise noted, the example companies, organisations, products, domain names, e-mail addresses, logos, people,

places and events depicted herein are fictitious, and no association with any real company, organisation, product, domain

name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable

copyright laws is the responsibility of the user.

Authlogics may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering

subject matter in this document. Except as expressly provided in any written licence agreement from Authlogics, the

furnishing of this document does not give you any licence to these patents, trademarks, copyrights, or other intellectual

property.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

The information contained in this document represents the current view of Authlogics on the issues discussed as of the

date of publication. Because Authlogics must respond to changing market conditions, it should not be interpreted to be a

commitment on the part of Authlogics, and Authlogics cannot guarantee the accuracy of any information presented after

the date of publication.

This document is for informational purposes only. AUTHLOGICS MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS

Document.

Copyright © 2017 Authlogics. All rights reserved.

Page 2

Table of Contents Introduction ............................................................................................................................................ 3

Licensing .............................................................................................................................................. 4

Design and Deployment Scenarios ......................................................................................................... 4

Minimum Requirements ..................................................................................................................... 4

Deployment ............................................................................................................................................ 5

Overview ............................................................................................................................................. 5

Installing/Removing the Authlogics ADFS Agent ................................................................................ 5

Running an installation ................................................................................................................... 5

Running a removal .......................................................................................................................... 7

Configuring the Authlogics ADFS Agent .............................................................................................. 9

Configuring ADFS for Multi-Factor Authentication ............................................................................... 10

Enabling the Authlogics ADFS Agent ................................................................................................. 10

Testing the logon process ................................................................................................................. 11

Customising ADFS Claims .................................................................................................................. 13

Page 3

Introduction Authlogics Authentication Server is a multi-factor authentication system which provides:

Token and token-less multi-factor authentication. Award winning transaction signing / verification technology. Self-service password reset and unlocking. Web Service API and RADIUS interfaces for connectivity. Authentication technologies:

o PINgrid Pattern Based Authentication. o PINphrase Random Character Authentication o PINpass OATH (TOTP) Compliant Authentication

This guide includes details for integrating Authlogics with Active Directory Federation Services

(ADFS) via the web interface. Integrating Authlogics with ADFS is an ideal way to add strong

authentication to Single Sign-on and to secure cloud based applications.

Page 4

Licensing Authlogics ADFS Agent is free of charge however may only be used with a correctly licenced

Authlogics Authentication Server.

Design and Deployment Scenarios The Authlogics ADFS Agent has been designed to be installed directly onto the ADFS server hosting

the web based logon page.

The installation will integrate the agent directly into the ADFS Manage Console UI.

Minimum Requirements The Authlogics ADFS Agent has been designed to work with ADFS 3.0 on Windows Server 2012 R2

only.

Note

For detailed information on the licence types please refer to the licence

agreement document embedded within the installation package.

Page 5

Deployment The following deployment overview walks through the installation process for deploying the

Authlogics ADFS Agent.

Overview This deployment section assumes that at least one Authlogics Authentication Server has already

been installed and is functional. See the Authlogics Authentication Server Installation and

Configuration guide for further information on setting up the Authlogics Authentication Server. In

addition, Authlogics user accounts should already be configured for users.

Installing/Removing the Authlogics ADFS Agent The installation should be performed on the server running the Remote Desktop Web Access role.

Running an installation

(1) To start the Authlogics Windows Desktop Logon Agent installation, run the Authlogics ADFS Agent xxxxx.exe installer with elevated privileges.

(2) Click Next to begin the install or Cancel to quit.

(3) Review the Authlogics Licence Agreement, check the I accept the terms of the licence agreement box and click Next.

Page 6

(4) Enter the FQDN of the Authlogics Authentication Server, click Next.

(5) Click Next to begin the install or Cancel to quit.

The installation is being performed.

Page 7

(6) All necessary Authlogics ADFS Agent files have been installed. Click Finish to complete the installation process.

Running a removal

Uninstalling the Authlogics ADFS Agent does NOT remove the metadata from user accounts in the

Active Directory.

If you no longer require Authlogics ADFS Agent on a server, you can remove it by performing an

uninstall as follows:

(1) To start the Authlogics ADFS Agent un-installation, execute the Authlogics ADFS Agent xxxxx.exe installer or use the Uninstall or change a program

option in Control Panel and click Remove.

(2) Select Uninstall. Click Next to continue.

(3) Click Next to continue.

Page 8

(4) The Authlogics uninstall will remove configured components.

(5) Click Finish to complete the uninstall process.

Page 9

Configuring the Authlogics ADFS Agent Once the agent has been installed, there are a few settings that can be modified to change the

configuration of the agent. These reside in the registry in the following location.

HKEY_LOCAL_MACHINE\SOFTWARE\Authlogics\ADFS Agent\

Page 10

Configuring ADFS for Multi-Factor Authentication Microsoft ADFS 3 has native support for multi-factor authentication via the UI.

Enabling the Authlogics ADFS Agent 1. Click the Edit Global Multi-factor Authentication action in the top right corner.

Page 11

2. Check the “Authlogics ADFS Agent” box to enable it.

3. Choose how/when you would like to use Authlogics Authentication, e.g. by User/Group,

Device or Location.

You can also enable Authlogics Authentication per application via the “Per Relying Party

Trust” section.

4. Click OK when done.

Testing the logon process 1. Open the ADFS logon page URL (e.g. https://fs.authlogics.com/adfs/ls/idpinitiatedsignon)

and enter your username and password as usual.

Page 12

Click Sign in.

2. Enter your One Time Code

Click Sign in.

Page 13

3. You are successfully logon onto ADFS

Customising ADFS Claims The AFDS UI is the first point of call to customising the claims behaviour. You can also make manual

customisations as needed.

A common requirement with AFDS and Multi Factor Authentication with Office 365 is to bypasses

MFA for Exchange Online Autodiscover and ActiveSync services to allow legacy devices to

synchronise which can be set by running the following Powershell script:

$rp = Get-AdfsRelyingPartyTrust –Name "Microsoft Office 365 Identity Platform"

Set-AdfsRelyingPartyTrust –TargetRelyingParty $rp –AdditionalAuthenticationRules 'exists([Type

== "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"]) && NOT

exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-

application", Value=="Microsoft.Exchange.Autodiscover"]) && NOT exists([Type ==

"http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application",

Value=="Microsoft.Exchange.ActiveSync"]) => issue (Type =

"http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value =

"http://schemas.microsoft.com/claims/multipleauthn");'

Further information can be found online about customising ADFS, however the following blog may

be useful: https://blogs.msdn.microsoft.com/ramical/2014/01/30/under-the-hood-tour-on-multi-

factor-authentication-in-adfs-part-1-policy/