Active Directory Federation Services

Introduction

Multi-factor authentication (MFA) is an extra layer of security used when logging into websites or apps in which individuals are authenticated through more than one required security and validation procedure that only you know or have access to. Acceptto offers a simple solution for adding MFA for Active Directory Federation Services (AD FS) v3.0 on Windows Server 2012 R2 and v4.0 on Windows Server 2016. With this feature, customers can use AD FS as their Identity Provider (IdP) to login to their applications and empower it with Acceptto MFA to provide a strong method of authentication.


Initial Steps
  1. If you don't have an Acceptto account and Acceptto mobile application, Download our app and register a new account on it:
  2. Using your Organizational Admin account, log in to the Acceptto Dashboard and navigate to Applications.
  3. Click the New Application button to make an application for protecting the AD FS and get your UID and Secret codes (See Setting Up for help).

  4. Treat your UID and Secret code like any sensitive credential. Don't share it with unauthorized individuals or email it to anyone under any circumstances!

    If you do not plan to use AD FS in an external facing environment, such as a proxy, configure the URL callback to point to https://mfa.acceptto.com. Also, note that you can create multiple applications to cover different relying parties.

  5. Once the application is created, add usernames to the application by selecting the control “Usernames”. Add the usernames and emails of the users that are going to be logging in using AD FS.
  6. Download the Acceptto AD FS MFA authentication provider. Please contact support@acceptto.com for the download link.
  7. Install “Remote Server Administration Tools” feature on the AD FS server.
Install Acceptto AD FS MFA Authentication Provider
  1. Run the Acceptto AD FS MFA authentication provider as a user with administrator privileges on each of your AD FS servers.
  2. Enter your UID and Secret code that you obtained in the Initial Steps when you created the application and finish the installation. Then, restart the server.
Configure AD FS v3.0 Multi-factor Authentication
  1. Launch the AD FS Management console on your server. Expand AD FS, click Authentication Policies and then click the Edit Global Multi-factor Authentication.
  2. On multi-factor tab, check the box next to the Acceptto Authentication Provider and click ok.
  3. Expand Authentication Policies. Click Per relying Party Trust and Right-click the relying party where you want to apply Acceptto MFA. Choose Edit custom multi-factor Authentication. On the multi-factor tab, select the ‘Devices’ and ‘locations’ you need and click ok.
Configure AD FS v4.0 Multi-factor Authentication
  1. Launch the AD FS Management console on your server. Expand Services, click Authentication Methods and then click the Edit Multi-factor Authentication. Check the box next to the Acceptto Authentication Provider and click ok.
  2. Go to Access Control Policies and either edit one of the existing MFA policies to apply it to users or groups or create a new MFA policy if no pre-defined one is sufficient for your organization's MFA requirements.
  3. Go to Relying Party Trusts, right-click the relying party trust where you want to add Acceptto MFA, then select Edit Access Control Policy.
  4. Select the preferred access control policy, then click OK.
  5. Acceptto AD FS MFA Protection Installation is complete. You can now extend the Access Policy to other Relying Parties and increase their security by adding Acceptto Multi-Factor Authentication.

Test Your Setup

Open your browser and go to a relying party for your AD FS 3 or 4 deployment. Log in with your user credentials and note that the user is now requested to perform Multi-Factor Authentication using the Acceptto It’sMe mobile application before access is allowed.


Support

If you require assistance, please email us at support@acceptto.com

Sales

Want to learn more about our MFA solutions? Contact our Professional Services for a Demo today.

Disclaimer

All product names, trademarks, and registered trademarks are the property of their respective owners.

All company, product and service names used in this document are for identification purposes only. Use of these names, trademarks, and brands does not constitute endorsement by the Acceptto Corporation.

Microsoft, Windows and AD FS are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.