Active Directory Federation Services

Introduction

Acceptto offers a simple solution for adding Multi-Factor Authentication for Active Directory Federation Services users. Multi factor authentication, or MFA, is an extra layer of security used when logging into websites or apps in which individuals are authenticated through more than one required security and validation procedure that only you know or have access to.


Process Overview

Download Acceptto Mobile App

If you don't have an Acceptto account and Acceptto mobile application, Download our app and register a new account on it:

Pre-Requisites
  1. Windows Server 2016 with Desktop Experience, Active Directory Domain Services Tools and Active Directory Federation Services or Windows Server 2019 with Desktop Experience, Active Directory Domain Services Tools and Active Directory Federation Services
  2. An Acceptto Account with one or more applications.
  3. Users accounts enrolled to the Acceptto dashboard.

  4. The Acceptto It’sMeTM Application installed on the user mobile phone.
Create an Application

Step 1 – Create an application in the Acceptto management dashboard

Follow this guide to create an Application. Create a new Acceptto application by giving it a memorable name, for example, “ADFS login with Acceptto Multi-Factor Authentication”. Note: if you do not plan to use ADFS in an external facing environment, such as a proxy, configure the URL callback to point to https://mfa.acceptto.com. Also, note that you can create multiple applications to cover difference relying parties. After creating an Application select details and note the UID and Secret, you will need these values for step 2.

Once the application is created add usernames to the application by selecting the control “Usernames”. Add the usernames and emails of the users that are going to be login using ADFS.

Installation

Step 2 – Install the Acceptto Corporation Active Directory Federation Services in each of the Active Directory Federation Services Servers that will use MFA.

  1. Login to the Active Directory Federations Services server
  2. Select the Acceptto ADFS MFA adapter installer “Acceptto ADFS MFA adapter.exe”
  3. In the installation dialog provide the UID and Secret that were given to you when you created the application.
  4. Repeat this step on each of the ADFS server.
Enable MFA
  1. Before enabling Multi-Factor Authentication verify if you can login to the ADFS server by browsing to https:///adfs/ls/IdpInitiatedSignon.aspx , where FQDN is the fully qualified domain name of your server, using Windows credentials.
    • Please note that the ADFS login uses the user principal name as the username for e.g.: myuser@myrealm
  2. Login to the ADFS Server, in the Server Manager select Tools. AD FS Management
  3. Within the AD FS Management console, select Access Control Policies and create a new policy, in this policy you may want to apply Multi-Factor Authentication to certain groups of users, machines or a combination of rules. In this example we have created a policy called Acceptto MFA and only users of the group Example\MFAUsers can login and Multi-Factor Authentication is required:
  4. Without leaving the AD FS Management console, select Relying Party Trusts and select the default Relaying Party Trust you have configured when performing the initial setup of ADFS or other suitable Relying Party Trust.
  5. Edit the Access Policy associated to this group by selecting the control “Edit Access Policy…” on the right side of the management console. Select the previously created Access Control Policy. This will configure the Relying Party Trust to require Multi-Factor Authentication.
  6. Navigate to https:///adfs/ls/IdpInitiatedSignon.aspx (or other Relying Party URL), login with the user credentials and note that now the user is request to perform Multi-Factor Authentication using the Acceptto It’sMe mobile application before access is allowed.
  7. Acceptto Active Directory Federation Services MFA Protection Install is complete. You can now extend the Access Policy to other Relying Parties to add Multi-Factor Authentication and increase their security.
Support

If you require assistance, please email us at support@acceptto.com