Acceptto MFA for Salesforce using AD FS

Introduction

Multi-factor authentication (MFA) is an extra layer of security used when logging into websites or apps in which individuals are authenticated through more than one required security and validation procedure that only you know or have access to. Acceptto integrates Salesforce.com with Active Directory for single sign-on (SSO) MFA provisioning. SSO refers to the technology for the user authentication process that allows access to multiple applications with one set of user credentials. Cloud SSO has become desirable as more companies adopt applications using multiple cloud services. But providers must not jeopardize security. Acceptto MFA ensures customers and providers use convenience of cloud SSO without its potential security risks. Acceptto adds multi-factor authentication for Salesforce.com via the Acceptto AD FS MFA authentication provider.

Initial Steps
  1. Sign up for an Acceptto account here, download the It’sMeTM mobile app and sign in with your account.
  2. From an Organizational Admin account, log in to the Acceptto Admin Panel and navigate to Applications.
  3. Click the New Application button to make an application for protecting the AD FS and get your UID and Secret codes (See Setting Up for help).

  4. Treat your UID and Secret code like any sensitive credential. Don't share it with unauthorized individuals or email it to anyone under any circumstances!

  5. Once the application is created, add usernames to the application by selecting the control “Usernames”. Add the usernames and emails of the users that are going to be logging in using AD FS.
  6. Download the Acceptto AD FS MFA authentication provider. Please contact support@acceptto.com for the download link.
  7. Install “Remote Server Administration Tools” feature on the AD FS server.
Install Acceptto AD FS MFA Authentication Provider
  1. Run the Acceptto AD FS MFA authentication provider as a user with administrator privileges on each of your AD FS servers.
  2. Enter your UID and Secret code that you obtained in the Initial Steps when you created the application and finish the installation. Then, restart the server.
Configure AD FS Multi-factor Authentication
  1. Launch the AD FS Management console on your server. Expand AD FS, click Authentication Policies and then click the Edit Global Multi-factor Authentication.

  2. On multi-factor tab, check the box next to the Acceptto Authentication Provider and click ok.

  3. You need the following information, which can be accessed in Service | Endpoints | Metadata, to configure Salesforce at the next section.

  4. AD FS metadata URL (can be used for automatic configuration of Service Provider in Salesforce.com)
    https://AD FS FQDN/FederationMetadata/2007-06/FederationMetadata.xml


    AD FS SAML 2.0 URL (Identity Provider Login URL in Salesforce.com) https://AD FS FQDN/adfs/ls/


    ADFS trust URL (Issuer Address in Salesforce.com) http://AD FS FQDN/adfs/services/trust


    Salesforce Custom Domain and Configuration

    Salesforce SSO requires a custom domain. If you don't already have a domain for your organization, create one and enable SSO on it.

    1. Sign in to your Salesforce site as an administrator and type My Domain in quick find box located on top-left corner of the page. Then, create a subdomain.


    2. Sign out and back in as an administrator using your new domain. Navigate back to the "My Domain" page and click the Deploy to Users button.
    3. Type Single sign-on in quick find box and click on it.


    4. On the Single Sign-On Settings page, click Edit and check the SAML Enabled box to enable the use of SAML Single-Sign On, then click Save.


    5. Click the New SAML Single Sign-on Settings button.


    6. Enter the following (unless otherwise noted, leave the default values as-is) and click Save.

    7. Name: Enter a name

      SAML Version: 2.0

      Issuer: http://adfs2.lab.acceptto.com/adfs/services/trust [change “adfs2.lab.acceptto.com” to your ADFS FQDN]

      Identity Provider Certificate: Browse and select the token-signing certificate you exported from your ADFS server (Note that a self-signed certificate is not accepted by Salesforce. Use a valid certificate and make sure you removed any self-signed certificate from Certificate section of your ADFS management console).

      Request Signing Certificate: Select as default or a self-signed certificate you created earlier at your salesforce domain.

      Request Signature Method: RSA-SHA-1

      SAML Identity Type: Assertion contains the Federation ID from the User object

      SAML Identity Location: Identity is in the NameIdentifier element of the Subject statement

      Service Provider Initiated Request Binding: HTTP Redirect

      Identity Provider Login URL: https://adfs2.lab.acceptto.com/adfs/ls/ [change “adfs2.lab.acceptto.com” to your ADFS FQDN and be sure to insert a slash at the end of the URL]

      Custom Logout URL: You can configure a URL to which the user is sent after logging out; for example https://acceptto.com/

      API Name: Enter an API name of your choice

      Entity ID: https://acceptto-dev-ed.my.salesforce.com [Change “acceptto-dev-ed” to your custom domain name]

    8. Download metadata file to import in AD FS for creating the Salesforce relying party at the next section.
    9. Type my domain in quick find box and click on it. In the “authentication configuration” click Edit.
    10. In the Authentication Service, check the box next to the Acceptto instance you’ve set up in single-sign on settings.
    11. Now, when you go to your Salesforce custom domain, a webpage like the following will be shown:
    12. Type users in quick find box and click on it. Then, Edit users who should be authenticated with Acceptto MFA for cloud SSO.
    13. Set the Federation ID to the user’s Acceptto It’sMe account.
    Create and Configure Salesforce Relying Party in AD FS
    1. Launch the AD FS Management console on your server. Click Action and then Add Relying Party Trust.
    2. Click Next and import your Salesforce metadata file which you downloaded in the previous section.
    3. Set a Name and click Next and continue with the defaults.
    4. At finish window, ensure the box is checked and click close.
    5. A new window comes up. Click Add Rule and continue as the following pictures. We are going to send the email address of our Active Directory users (which is our user’s Acceptto It’sMeTM account, too) to Salesforce as Name ID (Which is our user’s Salesforce Federation ID).
    6. At the Relying Party Trusts of AD FS management console, click on your Acceptto Salesforce relying party. In the Advanced tab, change the secure hash algorithm to SHA-1.
    7. Expand Authentication Policies. Click Per relying Party Trust and Right-click the relying party where you want to apply Acceptto MFA. Choose Edit custom multi-factor Authentication. On the multi-factor tab, select the ‘Devices’ and ‘locations’ you need and click Ok.
    Test Your Setup

    Open your browser and go to your Salesforce custom domain page.

    Click on your Acceptto MFA link which redirects you to AD FS login page. Log in with your user credentials and note that the user is now requested to perform Multi-Factor Authentication using the Acceptto It’sMe mobile application before access is allowed.

    As you can see, user logged in with its Active Directory credential which is protected with Acceptto MFA instead of a Salesforce account.

    Uninstalling the Acceptto ADFS MFA Authentication Provider

    The Acceptto ADFS MFA authentication provider is a in-process DLL, as such the Microsoft ADFS service needs to be stopped before removing the product. Before you begin please note that when the ADFS service is stopped, the server will not be able to process user authentication to Salesforce.

    1. Select the Windows menu, Administrative Tools, Services
    2. Locate the Active Directory Federation Services service
    3. Select Stop the service
    4. Using the right mouse button select the Windows menu, Programs and Features
    5. Locate the Acceptto Corporation program and select Uninstall.
    6. Once the uninstall is complete, repeat step 1 and 2 and select Start the service.
    7. The uninstall is completed.
    Support

    If you require assistance, please email us at support@acceptto.com

    Sales

    Want to learn more about our MFA solutions? Contact our Professional Services for a Demo today.

    Disclaimer

    All product names, trademarks, and registered trademarks are the property of their respective owners.

    All company, product and service names used in this document are for identification purposes only. Use of these names, trademarks, and brands does not constitute endorsement by the Acceptto Corporation.

    Salesforce is are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.