AD FS MFA Plugin
The AmZetta AD FS pluggable module supports relying parties that use Microsoft’s WS-Federation protocol as well as SAML 2.0 federated logons for cloud based SaaS apps like Office 365, Google G Suite, AWS Console Access, Github, Nextcloud, Salesforce and Intranet Web Apps which supports SAML 2.0.
- Preconfigured AD FS Server with Public DNS name and Valid SSL Certificate
- zGateway with Public DNS name and Valid SSL Certificate
- AmZetta AD FS Plugin Module
- Install zMFA SSL Certificate in PFX format to AD FS Server
- Admin Access to AD FS Server to run PowerShell script
- Download, Copy, and Extract AmZetta zMFA Package to “c:\” directory of AD FS Server.
- Install zMFA PFX certificate on AD FS Server. (If Wildcard SSL Certificate is being used on both zGateway and AD FS Server then skip this step)
- Open MMC and export the zMFA certificate as “Base-64 encoded X.509(.CER) and save in package directory of AD FS Server as “sslcert.cer”.
- Update configuration file for “SecondFactorEndpoint : MFA Server Endpoint”, “ServiceProvider : AD FS Server”, IdentityProvider : zGateway”.
- Launch Windows PowerShell with Admin rights on AD FS Server and change the directory to the package location.
- To install the AmZetta zMFA Plugin, run the powershell file found in the package in a windows Powershell on the AD FS Server.
- Once the installation is completed, keep the signing certificate and password for installing the plugin on all AD FS farm servers.
For AD FS 2012 R2:
Launch the AD FS Management console on your primary AD FS internal server. Navigate to AD FS > Authentication Policies and click the Edit Global Multi-Factor Authentication… action, or click on the Edit link under Multi-Factor Authentication > Global Settings.
For AD FS 2016/2019:
Launch the AD FS Management console on your primary AD FS server and navigate to AD FS > Service > Authentication Methods.
- Click the Edit link under Multi-Factor Authentication Methods or click Edit Multi-Factor Authentication Methods… action on the far right.
- Check the box next to the AmZetta zMFA for AD FS authentication method to enable AmZetta zMFA plugin and then apply and press OK.
- Open AD FS > Relying Party Trusts, right-click the relying party trust, then select Edit Access Control Policy.
- Pick a policy for the relying party that includes zMFA and then click OK. The zMFA policy immediately applies to the selected relying party.
This configuration will allow Office 365 Login with AD FS authentication followed by multi-factor authentication before accessing the application.
In an advanced multi-factor scenario, you can choose intranet and/or extranet location requirements, along with other conditions for access. Refer to the Microsoft article Access Control Policies in Windows Server 2016 AD FS for more information.
Allowing Relying Party Access
- Login with a digital certificate into zGateway using a Security Officer Account.
- Create a HTTPS Application as below with SAML configurations.
- Create Access Control Policy.
All Logs for the AmZetta zMFA Plugin will be logged in the Windows Event Viewer:
Start > Event Viewer > Applications and Services Logs > AmZetta zMFA Plugin
Sign In using AmZetta zMFA
After enabling the zMFA to Relying party apps zMFA can be tested by Accessing Service Provider URL.
Login Flow for Service Provider will be Web Application > AD FS authentication > zMFA Page Verification > Redirect to Application post successful Authentication.
- Go to https://office.com and select “Sign In” to Test your Setup.
- Enter your e-mail address and click on Next. You will be redirected to your AD FS server for Primary Authentication.
- Enter Domain Credentials and select “Sign In” for Primary Authentication.
- The Multi-Factor Authentication will be shown to End-User as per the configured Token Type.
- Push notification POP up will be displayed on End-User Device to either Authorize or Reject.
- After Successful Authorization Office 365 can be accessed by the End-User Device.