Microsoft AD FS (Active Directory Federation Services) is the identity and access management software installed on the Microsoft Windows server. It uses SAML 2.0 and WS-Federation protocols to enable a secure exchange of identity information, attributes, and authentication tokens. As a result, Microsoft AD FS, provides single sign-on (SSO) and identity management, allowing authorized users to access multiple applications located on-premise or in the cloud.

By integrating ​Akamai MFA​ with Microsoft AD FS, you provide users with strong, two-step authentication to protected resources.

See this diagram that presents a conceptual model of the authentication process. For clarity reasons, some traffic flows are not covered.

📘

This authentication process refers to users who are enrolled in ​Akamai MFA​.

1. The user attempts to access a protected enterprise application.

2. The application server sends the authentication request to the Windows server.

3. The Windows server validates user credentials against AD FS.

4. AD FS using the ​Akamai​ plug-in confirms that the primary authentication succeeded.

5. A connection is established over the TCP port 443, and the user is redirected to ​Akamai MFA​.

6. ​Akamai MFA​ challenges the user with secondary authentication.

7. The user confirms their identity using the selected secondary authentication method.

8. ​Akamai MFA​ redirects the user to the Windows server.

9. The Windows server redirects the user to the application server.

10. The user gains access to the application.

Prerequisites

• This integration has been tested on Microsoft AD FS on Windows Server 2016. You should have an installed, configured, and working instance of AD FS on Windows Server 2016.

• This integration communicates with ​Akamai MFA​ on TCP port 443. Make sure that your firewall allows outbound connections to the host you specify when you set up the integration. You can achieve this by setting up a firewall policy that allows connections to the appropriate CIDR (Classless Inter-Domain Routing) blocks. The following csv file provides the relevant CIDR blocks for the ​mfa.akamai.com​ host: ​Akamai MFA​ CIDR blocks list.

📘

Your <API Host> is available in the ​Akamai MFA​ Integrations configuration page.

Add an ADFS integration

Follow this procedure to generate your integration credentials in ​Akamai MFA​ that you have to provide in the following step to enable the communication between AD FS and ​Akamai MFA​.

1. In the Enterprise Center navigation menu, select Multi-factor Authentication > Integrations.

2. Click Add integration (+).

3. In Integration Type, select the ADFS.

4. In Name, enter a unique name for your ADFS integration.

5. Click Save and Deploy.
   You’ve just generated your API Host, Integration ID, Verifying Key, and Signing Key. This data will be available for you on the integration page. Your integration credentials can be copied anytime and used in the following steps to configure the integration with ADFS.

📘

Your Signing Key should be kept completely secret like any other password or secret key credential.

Install the AD FS plug-in for ​Akamai MFA​

Follow these steps to run the AD FS plug-in for ​Akamai MFA​ and enable communication between the Microsoft AD FS and ​Akamai MFA​.

1. Download the AkamaiMfaAdfsAdapter.msi installation package.

2. Open Command Prompt as administrator.

3. Launch the installation of the package using the following command msiexec.exe /i <path to AkamaiMfaAdfsAdapter.msi>.
   The installation prompt displays. Follow the on-screen instructions to install the AkamaiMfaAdfsAdapter.msi package.

4. In the installer welcome dialog, click Next.

5. In the installer configuration dialog, enter the API Host and your authentication credentials copied in the previous step from the ​Akamai MFA​ integration page. Click Next.

6. Click Install to start the installation.

7. When the installation is completed, click Finish.

8. Verify if there are no errors or red texts in the Powershell output to confirm that the installation was successful.
   You've just installed the ADFS plug-in for ​Akamai MFA​.

Configure ​Akamai MFA​ as a multi-factor authentication method

Follow this instruction to configure Microsoft AD FS to redirect to ​Akamai MFA​ for the secondary authentication. With these settings, you'll also enable ​Akamai MFA​ to receive and return authentication requests from the ADFS.

1. Log in to the ADFS management console.

2. In the ADFS management console, select ADFS > Service > Authentication Methods.

3. In Multi-factor Authentication, click Edit.

4. In the Edit Authentication Methods dialog, select ​Akamai MFA​. This enables ​Akamai MFA​ as the secondary authenticator.

5. Click Apply, and next OK.
   You've just configured ​Akamai MFA​ as a multi-factor authenticator.

Now, let's update the existing access control policy by applying ​Akamai MFA​.

6. In the ADFS management console, select ADFS > Access Control Policies.

7. Check settings for the access control policy that you want to apply, for example, Permit everyone and require MFA policy. Make sure that this policy is assigned to all configured user and group accounts.

8. In the ADFS management console, select ADFS > Relying Party Trust.

9. Right-click the selected relying party for which you want to enable ​Akamai MFA​, and select Edit Access Control Policy.

10. In Edit Access Control Policy, select an access control policy that requires multi-factor authentication. For example, Permit everyone and require MFA policy.

11. Click Apply and, next, OK.
    You've just applied ​Akamai MFA​ as your second factor to the selected relying party.

Test your ADFS configuration

Follow this instruction to verify your ADFS configuration. With those steps, you can also test the end users' login experience when they attempt to access a protected application.

📘

Use the username and password of the user that has already been enrolled to ​Akamai MFA​ and whose device has been activated.

1. Log in to any application with a Relying party setup. You are redirected to the ADFS login page.

2. Complete the AD FS primary authentication.

3. Upon successful authentication, you are redirected to ​Akamai MFA​ for the secondary authentication. Select an authentication method on the authentication prompt. For example, click Send me a Push.

4. Go to your enrolled mobile device, open the authentication request and approve it.
   You are redirected to the previously required application.