VAM. ADFS 2FA Value-Added Module (VAM) Deployment Guide

Similar documents
OAM 2FA Value-Added Module (VAM) Deployment Guide

VAM. Epic epcs Value-Added Module (VAM) Deployment Guide

VAM. Radius 2FA Value-Added Module (VAM) Deployment Guide

VAM. PeopleSoft Value-Added Module (VAM) Deployment Guide

Integration Guide. SecureAuth

Introduction. SecureAuth Corporation Tel: SecureAuth Corporation. All Rights Reserved.

.NET SAML Consumer Value-Added (VAM) Deployment Guide

Health Analyzer VAM Best Practices Guide

VAM. CAS Installer (for 2FA) Value- Added Module (VAM) Deployment Guide

Integration Guide. PingFederate SAML Integration Guide (SP-Initiated Workflow)

BEST PRACTICES GUIDE RSA MIGRATION MODULE

SecureAuth IdP Realm Guide

SecurEnvoy Microsoft Server Agent

Device Recognition Best Practices Guide

Setting Up the Server

Using Microsoft Azure Active Directory MFA as SAML IdP with Pulse Connect Secure. Deployment Guide

Integration Guide. LoginTC

BEST PRACTICES GUIDE MFA INTEGRATION WITH OKTA

Cloud Secure Integration with ADFS. Deployment Guide

CLI users are not listed on the Cisco Prime Collaboration User Management page.

Plug-in Guide Advanced Authentication- ADFS Multi- Factor Authentication Plug-in. Version 6.1

SecurEnvoy Microsoft Server Agent Installation and Admin Guide v9.3

SAML-Based SSO Configuration

Microsoft ADFS Configuration

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. Pulse Connect Secure 8.x

VAM. Java SAML Consumer Value- Added Module (VAM) Deployment Guide

Workspace ONE UEM Certificate Authentication for EAS with ADCS. VMware Workspace ONE UEM 1902

Installation Guide Advanced Authentication- ADFS Multi- Factor Authentication Plug-in. Version 6.0

Qualys SAML 2.0 Single Sign-On (SSO) Technical Brief

Cloud Access Manager Configuration Guide

Configuration Guide - Single-Sign On for OneDesk

Quick Start Guide for SAML SSO Access

Introduction to application management

Configuring Alfresco Cloud with ADFS 3.0

Java SAML Consumer Value-Added Module (VAM) Deployment Guide

Integration Guide. SafeNet Authentication Service. Using SAS as an Identity Provider for Better MDM

One Identity Starling Two-Factor AD FS Adapter 6.0. Administrator Guide

Module 3 Remote Desktop Gateway Estimated Time: 90 minutes

Introduction... 5 Configuring Single Sign-On... 7 Prerequisites for Configuring Single Sign-On... 7 Installing Oracle HTTP Server...

Using vrealize Operations Tenant App as a Service Provider

NBC-IG Installation Guide. Version 7.2

D9.2.2 AD FS via SAML2

Yubico with Centrify for Mac - Deployment Guide

CLI users are not listed on the Cisco Prime Collaboration User Management page.

Centrify for Dropbox Deployment Guide

Integration Guide. SafeNet Authentication Service. NetDocuments

User Communication Citrix SecureAuth

Integration Guide. SafeNet Authentication Manager. SAM using RADIUS Protocol with SonicWALL E-Class Secure Remote Access

Webthority can provide single sign-on to web applications using one of the following authentication methods:

VMWARE HORIZON CLOUD WITH VMWARE IDENTITY MANAGER QUICK START GUIDE WHITE PAPER MARCH 2018

Installing and Configuring vcloud Connector

Coveo Platform 7.0. Microsoft SharePoint Legacy Connector Guide

ADFS integration with Ibistic Commerce Platform A walkthrough of the feature and basic configuration

Slack Cloud App SSO. Configuration Guide. Product Release Document Revisions Published Date

Okta Integration Guide for Web Access Management with F5 BIG-IP

Nimsoft Service Desk. Single Sign-On Configuration Guide. [assign the version number for your book]

All about SAML End-to-end Tableau and OKTA integration

DefendX Software Control-Audit for Hitachi Installation Guide

4TRESS FT2011 Out-of-Band Authentication and Juniper Secure Access

SafeNet Authentication Service

SUREedge Migrator Installation Guide for Amazon AWS

Enterprise Vault.cloud CloudLink Google Account Synchronization Guide. CloudLink to 4.0.3

SOA Software Intermediary for Microsoft : Install Guide

Colligo Console. Administrator Guide

Integration Guide. SafeNet Authentication Manager. Using SAM as an Identity Provider for PingFederate

4TRESS AAA. Out-of-Band Authentication (SMS) and Juniper Secure Access Integration Handbook. Document Version 2.3 Released May hidglobal.

Trusted Login Connector (Hosted SSO)

Authentication. August 17, 2018 Version 9.4. For the most recent version of this document, visit our documentation website.

IQSweb Installation Instructions Version 5.0

External Authentication with Checkpoint R77.20 Authenticating Users Using SecurAccess Server by SecurEnvoy

Quick Start Guide for SAML SSO Access

Upgrading Good Mobile Control and Good Messaging

ICE CLEAR EUROPE DMS GLOBAL ID CREATION USER GUIDE VERSION 1.0

esignlive SAML Administrator's Guide Product Release: 6.5 Date: July 05, 2018 esignlive 8200 Decarie Blvd, Suite 300 Montreal, Quebec H4P 2P5

Application Notes for Installing and Configuring Avaya Control Manager Enterprise Edition in a High Availability mode.

Partner Integration Portal (PIP) Installation Guide


Configure the Identity Provider for Cisco Identity Service to enable SSO

Authentication Guide

Configuring Single Sign-on from the VMware Identity Manager Service to Marketo

NTP Software File Auditor for Hitachi

10ZiG Technology. Thin Desktop Quick Start Guide


About This Document 3. Overview 3. System Requirements 3. Installation & Setup 4

Azure MFA Integration with NetScaler

Parallels Remote Application Server

SAML-Based SSO Configuration

Configuring an IMAP4 or POP3 Journal Account for Microsoft Exchange Server 2003

Installation Guide. May vovici.com. Vovici Enterprise Version 6.1. Feedback that drives vision.

Workspace ONE UEM Certificate Authentication for Cisco IPSec VPN. VMware Workspace ONE UEM 1810

LastPass Enterprise Recommended Policies Guide

Remote Access Instructions for Windows and Mac OS

SAML-Based SSO Solution

CA Adapter. CA Adapter Installation Guide for Windows 8.0

Installation on Windows Server 2008

Integrating YuJa Active Learning into Google Apps via SAML

VIEVU Solution AD Sync and ADFS Guide

IBM Atlas Policy Distribution Administrators Guide: IER Connector. for IBM Atlas Suite v6

VMware AirWatch Integration with SecureAuth PKI Guide

Configuring Claims-based Authentication for Microsoft Dynamics CRM Server. Last updated: May 2015

Transcription:

VAM ADFS 2FA Value-Added Module (VAM) Deployment Guide

Copyright Information 2018. SecureAuth is a registered trademark of SecureAuth Corporation. SecureAuth s IdP software, appliances, and other products and solutions are copyrighted products of SecureAuth Corporation. Version 1.0 Revision History Version Date Notes 0.1 2017-03-28 Initial draft 1.0 2017-09-27 First version 2.0 2018-07-24 Second version 2.01 2018-08-14 Version table included 2.02 2018-10-04 Additional text included For information on support for this module, contact your SecureAuth support or sales representative: Email: support@secureauth.com inside-sales@secureauth.com Phone: +1.949.777.6959 or +1-866- 859-1526 Website: https://www.secureauth.com/support https://www.secureauth.com/contact 2

Table of Contents Copyright Information... 2 Table of Contents... 3 Overview... 4 Benefits... 4 Installation... 5 Requirements... 5 Packaged Installation (.msi)... 5 ADFS Configuration... 12 Global-Level Configuration... 12 Per Relaying Party Trust... 12 Adaptive Authentication... 13 Use Examples... 16 Upgrade Information... 18 Conclusion... 18 3

Overview This guide contains information on how to install the SecureAuth ADFS Two-Factor Adapter Value-Added Module (VAM) and how to configure it for use in an ADFS 3.0 environment. The SecureAuth ADFS Two- Factor Adapter is a Multi-Factor Authentication Provider that uses the SecureAuth Authentication APIs to send One-Time Passwords (OTPs) for use in authentication by an ADFS Federated application. The SecureAuth ADFS Two-Factor VAM enables current ADFS customers to add strong authentication to their existing ADFS integrations. Many customers have comprehensive ADFS implementations that provide the convenience of SSO access but lack strong security, thereby putting all their applications at risk from a single breach. With this add-on module, Push-to-accept, SMS, voice, email, KBQ, and OATH authentication can be enabled as well as advanced IP threat analysis. This version of the VAM also includes strong support for Adaptive Authentication in addition to digital fingerprinting. Many customers employ this tool when converting their SSO-available applications (using SSO standards such as SAML and WS-Federation) from the ADFS to SecureAuth IdP platform. ADFS SAM secures their applications before they are migrated to a single SecureAuth platform which greatly simplifies administration. Integrating with ADFS using SecureAuth s Two-Factor Authentication (2FA) can be challenging when pure Federation protocols like SAML or WS-Federated are employed. The ADFS Two-Factor module was created to enable SecureAuth Two-Factor integration, and enable a migration strategy that moves away from ADFS. In many cases, our customers have a large customer base that currently utilizes ADFS; however, they quickly realize that ADFS does not provide the security needed for today s hazardous environment. But while needing to migrate away from ADFS, the customer soon learns that they have too many applications to do this all at once. The ADFS Two-Factor Module overcomes this obstacle, by enabling ADFS- dependent applications and data to support SecureAuth 2FA through our API command structure. SecureAuth has created a full 2FA interface directly into ADFS. This gives the customer an easy and straightforward path to moving their applications to SecureAuth federation, while still protecting applications behind ADFS. Benefits + Can be used as a bridge while migrating federated apps to SecureAuth IdP + Support for SMS, Phone, Email, and Push-2-Accept 2FA selections + Supports Digital Fingerprint capabilities + Supports Adaptive Authentication + Support for ADFS direct integration + Supports knowledge-based questions and answers (KBQ/KBA) 4

Installation Installation entails the following steps: + Requirements + Packaged Installation Requirements The SecureAuth adapter requires a valid configuration of the SecureAuth Authentication API to be installed in a single realm on your SecureAuth IdP. To configure the Authentication API, follow the instructions provided in: https:// docs.secureauth.com/x/wqabag. Packaged Installation (.msi) Because of the nature of ADFS, and how tightly coupled it is to the core operating system, the TwoFactorAdapterSetup.msi must be run as an administrator. 1. Open a command prompt window as an administrator. a. Click Start, click All Programs, and then click Accessories. b. Right-click Command prompt, and then click Run as administrator. c. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue. 2. Use cd to change directory to the directory where the unzipped archive resides (such as, cd C:\Temp\SecureAuthADFSTwoFactorAdapter) 3. Launch the installation by typing: SecureAuthAdapterSetup.msi. Three versions of the ADFS 2FA VAM are currently available: VAM Version Description 2.17 Added Digital Fingerprinting Added Push-To-Accept feature for MFA Changed Logging options to include None, Detailed, and Sensitive Supports IdP versions 9.1 and earlier 3.0 Incorporates Threat Intel Supports IdP Version 9.2 3.0.0.1 Fix to improve IE browser compatibility 5

A screen like Figure 1 appears. FIGURE 1. Two-Factor Adapter Setup Welcome Screen 4. Click the Next button to continue. A screen like Figure 2 appears: FIGURE 2. Adapter Setup EULA Screen 5. Read and Accept the SecureAuth License Agreement then click Next. 6

A screen like Figure 3 appears: FIGURE 3. Install Settings Screen 6. By default, the location for the SecureAuth Adapter installation is C:\Windows\ADFS\SecureAuthAdapter\ which is the install base for ADFS. If the ADFS server you are installing to is the primary or first ADFS server on which the adapter is being installed, check the Register SecureAuthADFSAdapter as an Authentication Provider in ADFS box. 7. Click Next to Continue. 7

The example shown in Figure 4 appears: FIGURE 4. SecureAuthAdapter Configuration 8

8. Fill out the adapter configuration fields based on your needs. See below for definitions of each field. Adapter Name Enable Logs Management UI Friendly Name AppID AppKey SecureAuth Realm URL Use SAMAccountName Phone Image Url SMS Image Url Email Image URL KBQ Image Url HelpDesk Image Url OATH Image Url Progress GIF Url Disable SSL The name used when registering the adapter to ADFS. Enable text-based logs residing in the secureauthadapter/logs/ folder. This allows both detailed and sensiive levels of logging: + Detailed: detailed logging to assist with troubleshooting + Sensitive: more sensitive information is logged such as IP addresses, usernames, and OTP codes entered. The name that will appear in the ADFS management MMC. The SecureAuth authentication API appid from the SA appliance. The SecureAuth authentication API appkey from the SecureAuth appliance The URL to the SecureAuth Realm configured for Authentication API. If required, this setting will attempt to use the SAMAccountName to make the API calls. URL to the image for the phone two-factor method (detailed below). URL to the image for the SMS two-factor method (detailed below). URL to the image for the email two-factor method (detailed below). URL to the image for the KBQ two-factor method (detailed below). URL to the image for the HelpDesk two-factor method (detailed below). URL to the image for the OATH OTP two-factor method (detailed below). URL to the gif for the progress wheel (detailed below). ONLY USE IN TESTING. Disables SSL checks to the Authentication API. 9

9. Click Next to Continue. A screen like Figure 5 appears. FIGURE 5. Installing SecureAuth Two-Factor Adapter Setup 10. Once the installation finishes, you can exit the installer. 11. Navigate to the C:\Windows\ADFS\SecureAuthAdapter\Images\ directory. If you have not already transferred the images to the \Images\ subfolder, copy the required images from the \adfs2images folder (this folder should reside at a location on the machine such as C:\adfs2images) to the C:\Windows\ADFS\SecureAuthAdapter\Images\ directory. Make sure you map the physical path correctly. 12. Copy the images located in the required \Images subdirectory to the URL corresponding to the defined Image URL as specified in Step 8. For each of the image URLs, refer to the full http path of the images you placed on the machine (for example, https://secureauthidp.sacustom.local/adfsimages/ ). NOTE: If the correct image does not appear on the corresponding 2FA page, make sure you have mapped the proper image to the proper URL as outlined in Steps 8-12. 13. After the plug-in has been installed successfully, do the following: a. Navigate to the C:\\Windows\ADFS\SecureAuthAdapter directory. b. Right-click on the Logs folder and select Properties. c. At the Logs Properties sheet, select the Security tab then click Edit to change permissions. d. At the Permissions for Logs property sheet, click Add. e. At the Select Users, Computers, Service Accounts, or Groups dialog box, make sure the correct security permissions are enabled as shown in the example in Figure 6. 10

FIGURE 6. Log File Permissions Form 11

ADFS Configuration ADFS can be configured to apply either multi-factor authentication at a global level, or to specific Relaying Party Trusts. Each of these applications is described in the following subsections. Global-Level Configuration By default, the package installation will configure both the Intranet and Extranet zones to use Multi-Factor Authentication (MFA). To do this: 1. Launch the ADFS Management MMC. 2. Click on the Authentication Policies container in the navigation pane to the left. 3. Click on the Edit link under Multi-Factor Authentication. 4. Define what requirements will be used to determine if the authentication request will require MFA. You can specify specific user and groups, device types, or locations. By default the package installation will set both Extranet and Intranet as protected by MFA. 5. Make sure that the SecureAuthAdapter is checked in the authentication providers at the bottom of the properties window. 6. Click Apply and OK to save the settings for ADFS. Per Relaying Party Trust To apply MFA for ADFS per relaying party trust, perform the following steps: NOTE: You must remove any Global settings for MFA requirements to set specific Per Relaying Party Trust methods. When removing the requirements, be sure not to uncheck the SecureAuth Adapter from the authentication providers. To do this, refer to the steps below. 1. Launch the ADFS Management MMC. 2. Expand the Authentication Policies container and click on Per Relaying Party Trust in the navigation pane to the left. 3. Click the specific Relaying Party Trust you want to add MFA to then click on Edit Custom Multi-Factor Authentication in the Action pane to the right. 4. Define what requirements will be used to determine if the Authentication requests for this Relaying Party Trust will require Multi-Factor Authentication. 12

Adaptive Authentication With the advent of the latest version of the ADFS 2FA VAM, this VAM now supports SecureAuth IdP s digital fingerprinting and adaptive authentication. This enables ADFS applications to run adaptive authentication routines behind the scenes to verify the requester before a passcode routine screen appears to start the second authentication step. In reality this means that after correctly signing in with a password on a screen like Figure 7, FIGURE 7. Password Sign In there is an authentication performed before the next screen appears like Figure 8: FIGURE 8. Pin Code Selection Example 13

The adaptive authentication that occurs is determined by the Adaptive Authentication page on the SecureAuth IdP Web Admin Console, like this example: FIGURE 9. IP Reputation/Threat Data Page (9.2 version) The use of both digital fingerprinting and adaptive authentication are transparent to users; they are only aware of failing a test when a screen other than the anticipated one appears. The normal flow of this adaptive authentication test depends on the values you enter on the enabled Threat Services section as shown in Figure 9. An example of the decision flow made possible by settings in this section are shown in Figure 10. 14

If Threat Intel Result Action is: Hard Stop Stops workflow and Redirect Redirect to URL specified by API realm (a warning page) Skip 2FA Set Claim without 2FA Already Authenticated Set Claim without 2FA Go thru 2FA Go through 2FA If Successful Set Digital Fingerprinting (DFP) DFP Not Found Continue Check for DFP DFP Found Set Claim FIGURE 10. Threat Services Workflow For information on using SecureAuth IdP Adaptive Authentication refer to: + Adaptive Authentication Tab Configuration For information on using Digital Fingerprinting, refer to: + Device Recognition 15

Use Examples The adapter will be used for the defined requirements on the Global scale or at the specific Per Relaying Party Trust. It will be prompted at either SP-Initiated or IdP-Initiated login attempts at ADFS. Figure 11 illustrates an example of an IdP-Initiated login request. 16

FIGURE 11. Use Example Flowchart 17

Upgrade Information Please contact support@secureauth.com before modifying your SecureAuth IdP with any updates that might affect this VAM. Conclusion If these steps are followed properly, the installation of this module enables seamless OTP authentication of ADFS applications by SecureAuth IdP. 18

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback